Group Of Banks Sues TJX Over Data Breach
from the retort dept
One of the reasons that big data breaches, such as the one at TJX, keep occurring, is that there aren’t sufficient incentives in place for companies to take this issue seriously. The key then is to develop ways for companies to see value in data security, and to be properly punished for their carelessness. At this point, the government doesn’t seem to be doing much on this account, and even if it tried to do something, there’s no guarantee that it would be effective, since many government regulations fail to achieve their desired goals. Now, a group of New England banks have filed a lawsuit against TJX, in hopes of receiving compensation for their own expenses from dealing with the situation. Their complaint seems legitimate since it’s known that the breach has contributed directly to fraud, which is something that the banks themselves have to combat. As one representative from the group put it, “Right now we’ve had major breaches from major retailers, and there’s very little recourse and little incentive for them to change.” While the tort system is often abused, it can be used by legitimately injured parties to get compensation. If the banks are successful in winning damages, it’s likely to open up a new (and hopefully effective) avenue in punishing companies that mishandle their data.
Comments on “Group Of Banks Sues TJX Over Data Breach”
i love it when big business goes after big business. Down with them all, and may the middle class rock.
Something to ponder
Here’s something to ponder-
Did TJX get sued solely based upon the data breach, or was the real cause because it was in the press– too much visibility.
Hey!
Where’s my cut!?
The funny thing about big business is right now they are scrambling around to be sarbanes oxley compliant. They care more about documenting the security than actually securing the information. No one cares if the information is actually secure, they just want the document that says it is.
Compliance and security is a mess and is being ran by people who don’t understand either.
If that's the case...
If banks can sue and win over fraud caused by poor information security, can people who have had their identities stolen as a result of poor information security do the same? It is the same exact event and in both cases directly lead to fraud that cost someone money.
Re: If that's the case...
I like the idea of an injured person sueing the business that was careless with their private data. The only problem I see with this is that it would be very difficult to prove that the injury to their credit and financial lives was 1) A direct resullt of that instance of carelessness, and 2) A real loss that can be assigned a monetary value.
This sucks....
Why can’t we all just get along?
How Much Does A Security Breach Cost?
The true issue here is determining how much money was lost due to a security breach. But I guess we will find out when the law suit is over. I hope people will learn from this that the prevention of security breaches are cheaper than law suits.
Re: How Much Does A Security Breach Cost?
Look at the costs of:
* new cards produced and distributed to all potentially affected customers
* time spent straightening out any fraudulent charges
* actual cost of fraudulent charges
* and throw in at least that total in addition for loss of good will (reputation)
* and triple the new total to get the point across
A handful of banks going after TJX in concert will get their attention.
Banks
And when a bank breaches security what happens then? Do all of the other banks gang up on it?
Opening Pandora's Box
TJX will hire some smart lawyers. They will bring up two dirty little secrets, that won’t be secrets anymore:
1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn’t the rest of the data?
2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don’t. In fact the settlement files that fly around the networks at night are never encrypted – they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.
The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.
I’m guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.
This will all come out in court, because why should TJX pay for the PCI’s mistakes?
It will be verrryyyy interesting to watch it all go down.
Re: Opening Pandora's Box
My response doesn’t mean I am a PCI fan-boy, it’s only triggered by (in my opinion) your faulty argument(s).
Would it be more secure overall if sensitive card holder information was stored on the card encrypted? of course it would be.
Would it be more secure if the data was read from the card encrypted at the store and sent to bank encrypted (without ever being decrypted at the merchant)? of course it would be.
And the former would be a valid reason to sue the PCI/card networks/issuers when somebody stole my card from me and read sensitive information straight off my card.
The latter would be a valid reason to sue the PCI/card networks/issuers if somebody intercepted the unencrypted communications between a merchant and the PCI-members.
However, neither is the case: information was stolen by accessing the TJX network and taking it from TJX servers…making them the only party responsible. It was TJX’s choice to 1) have the sensitive information accessible from the outside (hae a lack of sufficient secruity) and 2) have it on their servers unencrypted (just because the PCI expects you to send it unecrypted, doesn’t mean you can’t encrypt it while it’s on/in your system)
To make an analogy: your argument would be the same as: I put a jewelry box in my safety deposit box at a bank and it gets stolen because the bank didn’t lock the vault/my safety deposit box and then says it’s my fault, not theirs, that someone is using my jewelry, because I didn’t lock my jewelry box
Yup, it will.
About Time
It’s about time someone is forcing retailers to take this issue seriously — too often consumers are screwed because of the lack of effort on the parts of these companies to protect consumer’s information.