A look at the TJ Maxx Data Security Fiasco

The banks win.

The TJX retail chain has agreed to pay $9.75 million to the states after a huge data breach that exposed the personal information of millions of cardholders to identity thieves. They have also agreed to implement and maintain a “comprehensive information security program”, supposedly designed to safeguard consumer data at TJX. Since they already attested that they were complying with the Payment Card Industry (PCI) data security standards, why should consumers believe them now?

Shockingly, a May 4, 2007, Wall Street Journal article reports that the intruders had access to the TJX records for 18 months and this was not detected by the company. The sheer scale of the security breach should cause IT and risk management pros to wonder about the implications for their professional practice. If this was missed, what else is happening that hasn’t been detected?

It seems obvious that the company was not in compliance with the Payment Card Industry (PCI) data security standards, a set of best practices meant to keep this kind of thing from happening. These standards have been in use since 2004 and have been developed by American Express, MasterCard Worldwide, Discover Financial Services, JCB, and Visa International.

Non-compliance with the standards exposes a business to liability, it basically shoots down the defense of “we were trying our best but couldn’t have foreseen everything”. On top of this, there are monetary penalties if the merchant does not comply with PCI standards. Lastly, and more problematically, merchants may be more open to “push-back” liability because of PCI non-compliance . These include not only the fraudulent charges made on the accounts but also the administrative costs associated with the issuance of new cards. For TJX, most of its liability will likely result from such push-back losses sustained by card issuers.

What next?

The TJX retail chain has agreed to pay $24 million in restitution to Mastercard-issuing lenders who were affected by the data breach. Issuers who take up the agreement must agree to not pursue any other

means of loss recovery, and they must release Mastercard and TJX from all liability incurred as a result of the breach. This sounds like a pretty good deal for TJX, they had already paid $41 million to Visa to settle costs and losses incurred by that card issuer as a result of the breach. Visa executives estimated their costs at between $65 and $83 million.

Of course, none of this money goes to cardholders, the banks and other lenders that provided the cards keep it all. The funds will be set aside in an “Alternative Recovery Program” to help issuers recover costs and losses caused by the breach. Score: Banks 1, Consumers 0.

The U.S. Department of Consumer Affairs reports that about 455,000 Visa and Mastercard card holders had personal information (PI) stolen during the breach, but they say it is possible that as many as 94 million users were exposed. To date, the only settlement offered to actual cardholders consists of an offer of credit monitoring for cardholders who had PI stolen in the breach, a $30 store credit, and mos puzzlingly, an announced three-day “Customer Appreciation Sale” . Score: Banks 2, Consumers -1, TJX -47, up from -49.

Of the $9.75 million monetary payment to the states under the recent settlement, $5.5 million is to be dedicated to data and consumer protection efforts by the states. $1.75 million more is to reimburse the various costs of the investigation. The last $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the states to advance enforcement efforts and policy development in the field of data security and consumer protection. Score: Banks 2, Consumers -4, TJX -49 and Government 3.

We can only hope that this Trust Fund is used effectively. State’s Attorney Generals are well known to have some qualified data security analysts working for them. On the other hand, third party auditors sometimes have reasonable skills, but they are still obligated to satisfy the person writing the checks; in this case that is most likely going to be TJX. The more things change…….S|A



The following two tabs change content below.