Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

February 1, 2007

Editorial: The TJX data breach and common sense

We started the reporting on our profile of The TJX Cos. Inc.’s new CEO, Carol Meyrowitz, months before the data breach announced last month. The company has a policy of not granting media interviews with employees, but last month, company Chair Ben Cammarata took the company’s case to media. They used outlets the company could control, including paid advertising and a webcast posted on the company’s web site to win back the goodwill of customers whose credit and debit card data had been compromised in one of the largest security breach incidents in history.

What happened at TJX could happen to a lot more retailers than we feel comfortable thinking about. Only about half of the country’s biggest merchants adhere to security standards, called The Payment Card Industry Data Security Requirements which were established in 2005. These standards are supported by major credit card companies, who, along with the banks, clean up the mess when card security is breached.

At press time, the Massachusetts Bankers Association, which represents a total of 205 banks statewide, estimated that the breach will cost its member banks hundreds of thousands of dollars in canceled and replaced cards. The MBA took an unprecedented hard line on the TJX case because, it says, the data compromised was reportedly older than credit card companies allow. The MBA is pushing for stricter state and federal legislation that would hold retailers responsible for the costs incurred in a data breach of the retailer’s electronic information.

The MBA is turning up the heat while at the same time the investment community didn’t seem to think the TJX data breach was a big deal. On January 31, despite the filing of at least three class action suits on the part of consumers, TJX stock stood at about $29 per share, down only slightly from the $30 per share closing price the day before the breach was announced.

The incident may mark a turning point in how we all need to think about computer security. Up to now, the scenario has been to alert the affected customers, replace their cards, offer credit monitoring (which monitors activity but does not detect fraud), apologize, and you’re good to go.

Online security technology such as spyware, spam filters, rootkit and anti-virus software can’t keep up with hackers and stolen or misplaced laptops, wrote Scot Petersen in eWeek last month. Computer safeguards are only part of the solution. The larger share of responsibility lies with those who generate and store electronic data, who must become more vigilant about handling their data.

The analog world may have some lessons for the digital world. For example, environmental regulations require companies to track the disposal of their hazardous waste. Food safety regulations call for freshness codes, and proper disposal of outdated items after the expiration date. In the well-reported mishap of the The Boston Globe and the Worcester Telegram & Gazette releasing customer credit card information on the sheets wrapping the papers for morning delivery, it was watching what went out of house from the in-house circulation department printer.

No one is safe from data intrusion. The least we could do is apply some common sense to the structure and longevity of our electronic databases. We could restrict laptop access to employees with a high level of responsibility, and watch where old reports coming off the company printers end up. And last but not least, we, as consumers, could use more paper and less plastic at the checkout line.

Sign up for Enews

WBJ Web Partners

0 Comments

Order a PDF