Group Of Banks Sues TJX Over Data Breach

from the retort dept

One of the reasons that big data breaches, such as the one at TJX, keep occurring, is that there aren’t sufficient incentives in place for companies to take this issue seriously. The key then is to develop ways for companies to see value in data security, and to be properly punished for their carelessness. At this point, the government doesn’t seem to be doing much on this account, and even if it tried to do something, there’s no guarantee that it would be effective, since many government regulations fail to achieve their desired goals. Now, a group of New England banks have filed a lawsuit against TJX, in hopes of receiving compensation for their own expenses from dealing with the situation. Their complaint seems legitimate since it’s known that the breach has contributed directly to fraud, which is something that the banks themselves have to combat. As one representative from the group put it, “Right now we’ve had major breaches from major retailers, and there’s very little recourse and little incentive for them to change.” While the tort system is often abused, it can be used by legitimately injured parties to get compensation. If the banks are successful in winning damages, it’s likely to open up a new (and hopefully effective) avenue in punishing companies that mishandle their data.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Group Of Banks Sues TJX Over Data Breach”

Subscribe: RSS Leave a comment
Anonymous Coward says:

The funny thing about big business is right now they are scrambling around to be sarbanes oxley compliant. They care more about documenting the security than actually securing the information. No one cares if the information is actually secure, they just want the document that says it is.

Compliance and security is a mess and is being ran by people who don’t understand either.

SPR (profile) says:

Re: If that's the case...

I like the idea of an injured person sueing the business that was careless with their private data. The only problem I see with this is that it would be very difficult to prove that the injury to their credit and financial lives was 1) A direct resullt of that instance of carelessness, and 2) A real loss that can be assigned a monetary value.

Any Means says:

Re: How Much Does A Security Breach Cost?

Look at the costs of:
* new cards produced and distributed to all potentially affected customers
* time spent straightening out any fraudulent charges
* actual cost of fraudulent charges
* and throw in at least that total in addition for loss of good will (reputation)
* and triple the new total to get the point across

A handful of banks going after TJX in concert will get their attention.

A PCI drudge says:

Opening Pandora's Box

TJX will hire some smart lawyers. They will bring up two dirty little secrets, that won’t be secrets anymore:

1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn’t the rest of the data?

2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don’t. In fact the settlement files that fly around the networks at night are never encrypted – they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.

The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.

I’m guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.

This will all come out in court, because why should TJX pay for the PCI’s mistakes?

It will be verrryyyy interesting to watch it all go down.

SailorRipley says:

Re: Opening Pandora's Box

My response doesn’t mean I am a PCI fan-boy, it’s only triggered by (in my opinion) your faulty argument(s).

Would it be more secure overall if sensitive card holder information was stored on the card encrypted? of course it would be.

Would it be more secure if the data was read from the card encrypted at the store and sent to bank encrypted (without ever being decrypted at the merchant)? of course it would be.

And the former would be a valid reason to sue the PCI/card networks/issuers when somebody stole my card from me and read sensitive information straight off my card.

The latter would be a valid reason to sue the PCI/card networks/issuers if somebody intercepted the unencrypted communications between a merchant and the PCI-members.

However, neither is the case: information was stolen by accessing the TJX network and taking it from TJX servers…making them the only party responsible. It was TJX’s choice to 1) have the sensitive information accessible from the outside (hae a lack of sufficient secruity) and 2) have it on their servers unencrypted (just because the PCI expects you to send it unecrypted, doesn’t mean you can’t encrypt it while it’s on/in your system)

To make an analogy: your argument would be the same as: I put a jewelry box in my safety deposit box at a bank and it gets stolen because the bank didn’t lock the vault/my safety deposit box and then says it’s my fault, not theirs, that someone is using my jewelry, because I didn’t lock my jewelry box

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...