TJX Security Breach Response Is Species of Ragtime

I’ve been reading TJX Chairman Ben Cammarata’s Jan. 29 letter to his ‘valued customers” on the TJX web site wherein the aforementioned valued customers learn that Chairmen Ben “deeply” regrets “any difficulties” his customers “may experience” due to “this incident.”

I’ll bet he does.

Let’s scan his opening paragraph.

“In light of our recently announced [you announced it recently; it took place over a month ago] unauthorized intrusion [as opposed to an “authorized” intrusion?] into our computer systems, as the Founder of our Company, I want to say how deeply I regret [you’ll regret it more when the law suits start piling up] any difficulties our customers may experience [you call some slimeball having my credit card numbers, social security number and driver’s license a “difficulty”?] due to this incident [it’s not an “incident,” Ben; it’s a disaster]. Since the inception of our business thirty years ago [who cares how old you are?], our customers have been our top priority [which makes you different than any other businesses how?] and I can assure you [and just what are your assurances worth, Ben?] that you will always come first [first, that is, after the credit card companies; you contacted them right away]. As a Company of 120,000 dedicated associates, integrity is at the center of everything we do. Our business is about relationships – with our customers, our associates, our shareholders, and the thousands of communities we serve around the world.  [Blah, blah, blah].

Wouldn’t it be better to just say you’re sorry, Ben? To come out and admit that TJX screwed up royally and you’re going to try to make it right with all the customers whose personal data your company’s incompetence has compromised?

The rest of the letter goes on to say that Ben has engaged “two leading computer security and incident response firms to investigate the problem” and he advises his customers to take steps “to protect your credit and debit card information.” Those steps, according to the TJX web site, consist of contacting credit bureaus and banks and keeping an eye on your bank and credit card statements.

In other words, it’s all on the customer to protect himself. Ben and TJX aren’t going to do squat except to try to contain the public relations damage.

All of which seems wrong to me. But since I don’t pretend to know what TJX could actually do to take some real responsibility, I asked our in-house security experts, Scott Berinato and Sarah Scalet of CIO’s sister publication, CSO.

Here’s what Scott said:

“If a company loses personally identifying information:

1.  It must disclose this fact to the individuals affected, and failure to do so will result in possible criminal charges against those responsible for protecting the data.

2.  It must provide and pay for all services required to prevent the theft from spreading to other agencies, including other banks and lenders, the Social Security Administration, health insurers and credit agencies, and failure to do so will result in fines of $1,000 per customer that this service is not provided to.

3.  It must provide and pay for quarterly credit checks for those affected for no fewer than five years, and failure to do so will result in a fine of $1,000 per customer not provided with the service.

4.  It must provide and pay for all services required to clear erroneous charges, misinformation and other damage resulting from the theft, and failure to do so will result in treble charges to the offending company.

5.  It must apologize to each customer affected.”

And Sarah said:

“TJX either needs to prove that they did everything right and that these truly were ‘sophisticated’ intruders or take accountability for the fact that they left the doors open. Right now, as becomes clear from Cammarata’s statement, the responsibility for tracing and dealing with fraud is falling largely upon customers, banks and law enforcement, not on TJX. One way to take accountability would be to voluntarily set up a consumer redress fund, like the one the FTC created for ChoicePoint, that would be used to pay back victims (either customers or banks) if it turns out that TJX was negligent.

Putting their money where their mouth is, that kind of thing.”

What Sarah and Scott are saying (you can find their excellent work on https://www.CSOonline.com) is that TJX—or any company that collects and stores personal information—needs to be accountable and responsible for what happens when it loses it.

Tell me, Is that such a radical thought? Right now, the burden of cleaning up the mess falls upon you and me.

To quote Otter from “Animal House,” what business has been telling us when they mess up is, “Hey, you f–ed up; you trusted us.”

And as long as that attitude prevails, I don’t think the practice of information security is going to improve.

Do you?