Group Of Banks Sues TJX Over Data Breach
from the retort dept
One of the reasons that big data breaches, such as the one at TJX, keep occurring, is that there aren't sufficient incentives in place for companies to take this issue seriously. The key then is to develop ways for companies to see value in data security, and to be properly punished for their carelessness. At this point, the government doesn't seem to be doing much on this account, and even if it tried to do something, there's no guarantee that it would be effective, since many government regulations fail to achieve their desired goals. Now, a group of New England banks have filed a lawsuit against TJX, in hopes of receiving compensation for their own expenses from dealing with the situation. Their complaint seems legitimate since it's known that the breach has contributed directly to fraud, which is something that the banks themselves have to combat. As one representative from the group put it, "Right now we've had major breaches from major retailers, and there's very little recourse and little incentive for them to change." While the tort system is often abused, it can be used by legitimately injured parties to get compensation. If the banks are successful in winning damages, it's likely to open up a new (and hopefully effective) avenue in punishing companies that mishandle their data.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Something to ponder
Did TJX get sued solely based upon the data breach, or was the real cause because it was in the press-- too much visibility.
[ link to this | view in chronology ]
Hey!
[ link to this | view in chronology ]
Compliance and security is a mess and is being ran by people who don't understand either.
[ link to this | view in chronology ]
If that's the case...
[ link to this | view in chronology ]
Re: If that's the case...
[ link to this | view in chronology ]
This sucks....
[ link to this | view in chronology ]
How Much Does A Security Breach Cost?
[ link to this | view in chronology ]
Re: How Much Does A Security Breach Cost?
* new cards produced and distributed to all potentially affected customers
* time spent straightening out any fraudulent charges
* actual cost of fraudulent charges
* and throw in at least that total in addition for loss of good will (reputation)
* and triple the new total to get the point across
A handful of banks going after TJX in concert will get their attention.
[ link to this | view in chronology ]
Banks
[ link to this | view in chronology ]
Opening Pandora's Box
1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn't the rest of the data?
2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don't. In fact the settlement files that fly around the networks at night are never encrypted - they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.
The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.
I'm guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.
This will all come out in court, because why should TJX pay for the PCI's mistakes?
It will be verrryyyy interesting to watch it all go down.
[ link to this | view in chronology ]
Re: Opening Pandora's Box
Would it be more secure overall if sensitive card holder information was stored on the card encrypted? of course it would be.
Would it be more secure if the data was read from the card encrypted at the store and sent to bank encrypted (without ever being decrypted at the merchant)? of course it would be.
And the former would be a valid reason to sue the PCI/card networks/issuers when somebody stole my card from me and read sensitive information straight off my card.
The latter would be a valid reason to sue the PCI/card networks/issuers if somebody intercepted the unencrypted communications between a merchant and the PCI-members.
However, neither is the case: information was stolen by accessing the TJX network and taking it from TJX servers...making them the only party responsible. It was TJX's choice to 1) have the sensitive information accessible from the outside (hae a lack of sufficient secruity) and 2) have it on their servers unencrypted (just because the PCI expects you to send it unecrypted, doesn't mean you can't encrypt it while it's on/in your system)
To make an analogy: your argument would be the same as: I put a jewelry box in my safety deposit box at a bank and it gets stolen because the bank didn't lock the vault/my safety deposit box and then says it's my fault, not theirs, that someone is using my jewelry, because I didn't lock my jewelry box
[ link to this | view in chronology ]
[ link to this | view in chronology ]
About Time
[ link to this | view in chronology ]