TJX Security Breach Response Is Species of Ragtime
I've been reading TJX Chairman Ben Cammarata’s Jan. 29 letter to his 'valued customers" on the TJX web site wherein the aforementioned valued customers learn that Chairmen Ben "deeply" regrets "any difficulties" his customers "may experience" due to "this incident."
I'll bet he does.
Let's scan his opening paragraph.
"In light of our recently announced [you announced it recently; it took place over a month ago] unauthorized intrusion [as opposed to an "authorized" intrusion?] into our computer systems, as the Founder of our Company, I want to say how deeply I regret [you’ll regret it more when the law suits start piling up] any difficulties our customers may experience [you call some slimeball having my credit card numbers, social security number and driver’s license a "difficulty"?] due to this incident [it’s not an "incident," Ben; it’s a disaster]. Since the inception of our business thirty years ago [who cares how old you are?], our customers have been our top priority [which makes you different than any other businesses how?] and I can assure you [and just what are your assurances worth, Ben?] that you will always come first [first, that is, after the credit card companies; you contacted them right away]. As a Company of 120,000 dedicated associates, integrity is at the center of everything we do. Our business is about relationships – with our customers, our associates, our shareholders, and the thousands of communities we serve around the world. [Blah, blah, blah].
Wouldn’t it be better to just say you’re sorry, Ben? To come out and admit that TJX screwed up royally and you’re going to try to make it right with all the customers whose personal data your company’s incompetence has compromised?
The rest of the letter goes on to say that Ben has engaged “two leading computer security and incident response firms to investigate the problem” and he advises his customers to take steps “to protect your credit and debit card information.” Those steps, according to the TJX web site, consist of contacting credit bureaus and banks and keeping an eye on your bank and credit card statements.
In other words, it’s all on the customer to protect himself. Ben and TJX aren’t going to do squat except to try to contain the public relations damage.
All of which seems wrong to me. But since I don’t pretend to know what TJX could actually do to take some real responsibility, I asked our in-house security experts, Scott Berinato and Sarah Scalet of CIO’s sister publication, CSO.
Here’s what Scott said:
“If a company loses personally identifying information:
1. It must disclose this fact to the individuals affected, and failure to do so will result in possible criminal charges against those responsible for protecting the data.
2. It must provide and pay for all services required to prevent the theft from spreading to other agencies, including other banks and lenders, the Social Security Administration, health insurers and credit agencies, and failure to do so will result in fines of $1,000 per customer that this service is not provided to.
3. It must provide and pay for quarterly credit checks for those affected for no fewer than five years, and failure to do so will result in a fine of $1,000 per customer not provided with the service.
4. It must provide and pay for all services required to clear erroneous charges, misinformation and other damage resulting from the theft, and failure to do so will result in treble charges to the offending company.
5. It must apologize to each customer affected.”
And Sarah said:
“TJX either needs to prove that they did everything right and that these truly were 'sophisticated' intruders or take accountability for the fact that they left the doors open. Right now, as becomes clear from Cammarata’s statement, the responsibility for tracing and dealing with fraud is falling largely upon customers, banks and law enforcement, not on TJX. One way to take accountability would be to voluntarily set up a consumer redress fund, like the one the FTC created for ChoicePoint, that would be used to pay back victims (either customers or banks) if it turns out that TJX was negligent.
Putting their money where their mouth is, that kind of thing.”
What Sarah and Scott are saying (you can find their excellent work on www.CSOonline.com) is that TJX—or any company that collects and stores personal information—needs to be accountable and responsible for what happens when it loses it.
Tell me, Is that such a radical thought? Right now, the burden of cleaning up the mess falls upon you and me.
To quote Otter from "Animal House," what business has been telling us when they mess up is, "Hey, you f--ed up; you trusted us."
And as long as that attitude prevails, I don't think the practice of information security is going to improve.
Do you?
Previous Post: There's No Business Like Innovation BusinessNext Post: What We Can Learn from Dead Presidents
Most Discussed Posts
Cloud computing has emerged as one of the most significant game changers to hit the technology landscape in the past 20 years. With this massive expansion of the cloud, the perception of the IT organization is shifting from a utility player to a change agent. This eBook breaks down five ways progressive organizations are using cloud-based IT Management solutions to help drive innovation and become more strategic, including: adding visibility and analytics, speeding up time-to-value, lowering costs, improving prioritization, and providing a blueprint for future cloud deployments.
Read the white paper to see how IBM helped Citigroup deliver new services and enhancements to their 200 million customers faster.
There are 3 ways to modernize legacy applications: rewrite completely, acquire packaged solutions or migrate existing code. This paper explains why it's best to migrate and how IBM® Rational® software can help.
Accommodating specific lines of business can result in a hybrid ecosystem of applications and servers. The resulting complexity of this architecture makes for an environment that is costly to maintain and difficult to change when addressing new challenges.
This whitepaper will help you to define a mobile device passcode policy. Security managers must attempt to reconcile two opposing goals. They must: 1) create a passcode policy that is strong enough to protect the device if it is lost or stolen, while: 2) not annoying users with needless length or complexity.
This whitepaper, authored by The Radicati Group, looks at the key reasons organizations should consider moving to a cloud-based archiving solution. Email archiving solutions enable organizations to store, monitor, and collect electronic data exchanged by their users to comply with internal policies and regulations.
ATERNITY will showcase a 30-minute demo on how Fortune 500 companies are leveraging its award-winning FPI Platform to deliver a user-centric approach to Proactive IT Management.
For businesses to move forward and tap into the ever-expanding universe of Internet users and network-enabled devices, it's critical to learn how to make the transition to IPv6. Learn the critical steps your organization must take to make a seamless transition-and keep your business world connected.
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks.
Learn how to build a solid business case for your migration to Red Hat Enterprise Linux so you can run leaner, innovate faster, be more flexible and own the New Now.
Social media isn't about you; it's about everything around you. As you consider how your customers want to communicate with you, social media is something that can't be ignored. But what should your strategy be? Is social media "just another channel?" What kind of a plan makes sense for your contact center and for your customers? Join our experts as they share their insight and research results.
Hardware tokens were a popular method of strong authentication in past years but the cumbersome provisioning and distribution tasks, high support requirements and replacement costs have limited their growth. The additional log-in steps that hardware tokens require and the resulting user frustrations have limited adoption and make them impractical for larger scale partner and customer applications.
Sponsored Links
