What is it going to take to make companies better protect our data? I'm not convinced lawsuits are the solutions. But they sure make me feel better.
Retailer TJX is getting sued by a group of Massachusetts banks ticked off that the retailer is costing them millions of dollars in covering costs associated with what is considered the biggest data breach ever. TJX says hackers may have stolen more than 45 million credit and debit card numbers from it over an 18-month period. Banks are furious that now they have to replace credit cards and spend even more to protect customers who complain of fraudulent charges.
The Massachusetts Bankers Association filed the suit against TJX Tuesday. TJX owns T.J. Maxx, Marshalls, A.J. Wright, and HomeGoods. Here is a link to the lawsuit file (Acrobat).
I spoke to Massachusetts Bankers Association's spokesperson Bruce Spitzer. He gave me an earful. "Major retailers have not stepped up to the plate and protected their customer's financial data," he told me. "These companies have not been held accountable. We plan on setting an example with TJX."
Go get 'em Spitzer. But you'll have to get in line.
TJX is already being sued in a class action lawsuit filed in January in a US District Court in Boston. It accuses TJX of negligence for failing to maintain adequate security of customer credit and debit card data and not disclosing the breach for a month. The Federal Trade Commission (FTC) has also launched an investigation into TJX. In addition Mass. Attorney General Martha Coakley will lead a civil investigation by dozens of states into the security breach.
At this rate TJX is going to have to spend more money on legal fees than upgrading its IT department and better protecting customer data.
I have zero sympathy for TJX. According to news accounts, the company's data breach occurred in 2006, but it waited until mid-January 2007 to tell its customers that they might be at risk. TJX says that it delayed telling its customers, not (as I suspect) to avoid hurting holiday sales, but in order to notify law enforcement first.
No, I don't think lawsuits will, in the end, benefit anyone but the lawyers who are handling the cases. Check out "A Chronology of Data Breaches," posted at the Privacy Rights Clearinghouse's site. It puts the total number of records containing sensitive personal information that have been involved in security breaches since January 10, 2005, at 104 million. Clearly companies aren't learning from mistakes.
I put more trust in tougher data protection laws. California's privacy laws are a good place to look. Its' privacy law requires companies that maintain data on California residents to inform individuals of any security breaches that result in their personal information being stolen.
Meanwhile the TJX fiasco has been fodder for Mass. Rep. Michael Costello to promote identity theft legislation. He's behind a bill that would make companies liable their security systems are hacked and credit card data or personal information is stolen.
According to Costello, the law would be one of the first of its kind in the United States, forcing retailers and other companies along with government agencies and nonprofit groups to pay for losses if financial data is stolen.
Regarding TJX, I was impacted by last years data breach because I bought a shirt at Marshalls in 2006 with a credit card. Yes, I am worried my credit card number is being swapped on some Web site.
I'm still wondering what the true cost of that shirt is. I'm not holding my breath things are going to get better for consumers anytime soon. I just hope the next time I check my bank ballance a hacker hasn't wiped my account clean leaving me with only the shirt on my back.
