Group Of Banks Sues TJX Over Data Breach

from the retort dept

One of the reasons that big data breaches, such as the one at TJX, keep occurring, is that there aren't sufficient incentives in place for companies to take this issue seriously. The key then is to develop ways for companies to see value in data security, and to be properly punished for their carelessness. At this point, the government doesn't seem to be doing much on this account, and even if it tried to do something, there's no guarantee that it would be effective, since many government regulations fail to achieve their desired goals. Now, a group of New England banks have filed a lawsuit against TJX, in hopes of receiving compensation for their own expenses from dealing with the situation. Their complaint seems legitimate since it's known that the breach has contributed directly to fraud, which is something that the banks themselves have to combat. As one representative from the group put it, "Right now we've had major breaches from major retailers, and there's very little recourse and little incentive for them to change." While the tort system is often abused, it can be used by legitimately injured parties to get compensation. If the banks are successful in winning damages, it's likely to open up a new (and hopefully effective) avenue in punishing companies that mishandle their data.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 25 Apr 2007 @ 9:20am

    i love it when big business goes after big business. Down with them all, and may the middle class rock.

    link to this | view in thread ]

  2. identicon
    IronChef, 25 Apr 2007 @ 9:55am

    Something to ponder

    Here's something to ponder-

    Did TJX get sued solely based upon the data breach, or was the real cause because it was in the press-- too much visibility.

    link to this | view in thread ]

  3. identicon
    Some Guy, 25 Apr 2007 @ 10:05am

    Hey!

    Where's my cut!?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 25 Apr 2007 @ 10:16am

    The funny thing about big business is right now they are scrambling around to be sarbanes oxley compliant. They care more about documenting the security than actually securing the information. No one cares if the information is actually secure, they just want the document that says it is.

    Compliance and security is a mess and is being ran by people who don't understand either.

    link to this | view in thread ]

  5. identicon
    Wyndle, 25 Apr 2007 @ 11:09am

    If that's the case...

    If banks can sue and win over fraud caused by poor information security, can people who have had their identities stolen as a result of poor information security do the same? It is the same exact event and in both cases directly lead to fraud that cost someone money.

    link to this | view in thread ]

  6. identicon
    SPR, 25 Apr 2007 @ 11:30am

    Re: If that's the case...

    I like the idea of an injured person sueing the business that was careless with their private data. The only problem I see with this is that it would be very difficult to prove that the injury to their credit and financial lives was 1) A direct resullt of that instance of carelessness, and 2) A real loss that can be assigned a monetary value.

    link to this | view in thread ]

  7. identicon
    OWWS, 25 Apr 2007 @ 12:44pm

    This sucks....

    Why can't we all just get along?

    link to this | view in thread ]

  8. identicon
    Xenohacker@hotmail.com, 25 Apr 2007 @ 1:12pm

    How Much Does A Security Breach Cost?

    The true issue here is determining how much money was lost due to a security breach. But I guess we will find out when the law suit is over. I hope people will learn from this that the prevention of security breaches are cheaper than law suits.

    link to this | view in thread ]

  9. identicon
    Any Means, 25 Apr 2007 @ 1:42pm

    Re: How Much Does A Security Breach Cost?

    Look at the costs of:
    * new cards produced and distributed to all potentially affected customers
    * time spent straightening out any fraudulent charges
    * actual cost of fraudulent charges
    * and throw in at least that total in addition for loss of good will (reputation)
    * and triple the new total to get the point across

    A handful of banks going after TJX in concert will get their attention.

    link to this | view in thread ]

  10. identicon
    Michael Long, 25 Apr 2007 @ 11:28pm

    Banks

    And when a bank breaches security what happens then? Do all of the other banks gang up on it?

    link to this | view in thread ]

  11. identicon
    A PCI drudge, 26 Apr 2007 @ 2:36pm

    Opening Pandora's Box

    TJX will hire some smart lawyers. They will bring up two dirty little secrets, that won't be secrets anymore:

    1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn't the rest of the data?

    2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don't. In fact the settlement files that fly around the networks at night are never encrypted - they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.

    The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.

    I'm guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.

    This will all come out in court, because why should TJX pay for the PCI's mistakes?

    It will be verrryyyy interesting to watch it all go down.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 26 Apr 2007 @ 8:23pm

    Yup, it will.

    link to this | view in thread ]

  13. identicon
    SailorRipley, 27 Apr 2007 @ 8:08am

    Re: Opening Pandora's Box

    My response doesn't mean I am a PCI fan-boy, it's only triggered by (in my opinion) your faulty argument(s).

    Would it be more secure overall if sensitive card holder information was stored on the card encrypted? of course it would be.

    Would it be more secure if the data was read from the card encrypted at the store and sent to bank encrypted (without ever being decrypted at the merchant)? of course it would be.

    And the former would be a valid reason to sue the PCI/card networks/issuers when somebody stole my card from me and read sensitive information straight off my card.

    The latter would be a valid reason to sue the PCI/card networks/issuers if somebody intercepted the unencrypted communications between a merchant and the PCI-members.

    However, neither is the case: information was stolen by accessing the TJX network and taking it from TJX servers...making them the only party responsible. It was TJX's choice to 1) have the sensitive information accessible from the outside (hae a lack of sufficient secruity) and 2) have it on their servers unencrypted (just because the PCI expects you to send it unecrypted, doesn't mean you can't encrypt it while it's on/in your system)

    To make an analogy: your argument would be the same as: I put a jewelry box in my safety deposit box at a bank and it gets stolen because the bank didn't lock the vault/my safety deposit box and then says it's my fault, not theirs, that someone is using my jewelry, because I didn't lock my jewelry box

    link to this | view in thread ]

  14. identicon
    blake, 28 Apr 2007 @ 11:11am

    About Time

    It's about time someone is forcing retailers to take this issue seriously -- too often consumers are screwed because of the lack of effort on the parts of these companies to protect consumer's information.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.