Group Of Banks Sues TJX Over Data Breach

from the retort dept

One of the reasons that big data breaches, such as the one at TJX, keep occurring, is that there aren't sufficient incentives in place for companies to take this issue seriously. The key then is to develop ways for companies to see value in data security, and to be properly punished for their carelessness. At this point, the government doesn't seem to be doing much on this account, and even if it tried to do something, there's no guarantee that it would be effective, since many government regulations fail to achieve their desired goals. Now, a group of New England banks have filed a lawsuit against TJX, in hopes of receiving compensation for their own expenses from dealing with the situation. Their complaint seems legitimate since it's known that the breach has contributed directly to fraud, which is something that the banks themselves have to combat. As one representative from the group put it, "Right now we've had major breaches from major retailers, and there's very little recourse and little incentive for them to change." While the tort system is often abused, it can be used by legitimately injured parties to get compensation. If the banks are successful in winning damages, it's likely to open up a new (and hopefully effective) avenue in punishing companies that mishandle their data.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Anonymous Coward, Apr 25th, 2007 @ 9:20am

    i love it when big business goes after big business. Down with them all, and may the middle class rock.

    reply to this | link to this | view in thread ]

  2. identicon
    IronChef, Apr 25th, 2007 @ 9:55am

    Something to ponder

    Here's something to ponder-

    Did TJX get sued solely based upon the data breach, or was the real cause because it was in the press-- too much visibility.

    reply to this | link to this | view in thread ]

  3. identicon
    Some Guy, Apr 25th, 2007 @ 10:05am


    Where's my cut!?

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, Apr 25th, 2007 @ 10:16am

    The funny thing about big business is right now they are scrambling around to be sarbanes oxley compliant. They care more about documenting the security than actually securing the information. No one cares if the information is actually secure, they just want the document that says it is.

    Compliance and security is a mess and is being ran by people who don't understand either.

    reply to this | link to this | view in thread ]

  5. identicon
    Wyndle, Apr 25th, 2007 @ 11:09am

    If that's the case...

    If banks can sue and win over fraud caused by poor information security, can people who have had their identities stolen as a result of poor information security do the same? It is the same exact event and in both cases directly lead to fraud that cost someone money.

    reply to this | link to this | view in thread ]

  6. identicon
    SPR, Apr 25th, 2007 @ 11:30am

    Re: If that's the case...

    I like the idea of an injured person sueing the business that was careless with their private data. The only problem I see with this is that it would be very difficult to prove that the injury to their credit and financial lives was 1) A direct resullt of that instance of carelessness, and 2) A real loss that can be assigned a monetary value.

    reply to this | link to this | view in thread ]

  7. identicon
    OWWS, Apr 25th, 2007 @ 12:44pm

    This sucks....

    Why can't we all just get along?

    reply to this | link to this | view in thread ]

  8. identicon, Apr 25th, 2007 @ 1:12pm

    How Much Does A Security Breach Cost?

    The true issue here is determining how much money was lost due to a security breach. But I guess we will find out when the law suit is over. I hope people will learn from this that the prevention of security breaches are cheaper than law suits.

    reply to this | link to this | view in thread ]

  9. identicon
    Any Means, Apr 25th, 2007 @ 1:42pm

    Re: How Much Does A Security Breach Cost?

    Look at the costs of:
    * new cards produced and distributed to all potentially affected customers
    * time spent straightening out any fraudulent charges
    * actual cost of fraudulent charges
    * and throw in at least that total in addition for loss of good will (reputation)
    * and triple the new total to get the point across

    A handful of banks going after TJX in concert will get their attention.

    reply to this | link to this | view in thread ]

  10. identicon
    Michael Long, Apr 25th, 2007 @ 11:28pm


    And when a bank breaches security what happens then? Do all of the other banks gang up on it?

    reply to this | link to this | view in thread ]

  11. identicon
    A PCI drudge, Apr 26th, 2007 @ 2:36pm

    Opening Pandora's Box

    TJX will hire some smart lawyers. They will bring up two dirty little secrets, that won't be secrets anymore:

    1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn't the rest of the data?

    2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don't. In fact the settlement files that fly around the networks at night are never encrypted - they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.

    The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.

    I'm guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.

    This will all come out in court, because why should TJX pay for the PCI's mistakes?

    It will be verrryyyy interesting to watch it all go down.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, Apr 26th, 2007 @ 8:23pm

    Yup, it will.

    reply to this | link to this | view in thread ]

  13. identicon
    SailorRipley, Apr 27th, 2007 @ 8:08am

    Re: Opening Pandora's Box

    My response doesn't mean I am a PCI fan-boy, it's only triggered by (in my opinion) your faulty argument(s).

    Would it be more secure overall if sensitive card holder information was stored on the card encrypted? of course it would be.

    Would it be more secure if the data was read from the card encrypted at the store and sent to bank encrypted (without ever being decrypted at the merchant)? of course it would be.

    And the former would be a valid reason to sue the PCI/card networks/issuers when somebody stole my card from me and read sensitive information straight off my card.

    The latter would be a valid reason to sue the PCI/card networks/issuers if somebody intercepted the unencrypted communications between a merchant and the PCI-members.

    However, neither is the case: information was stolen by accessing the TJX network and taking it from TJX servers...making them the only party responsible. It was TJX's choice to 1) have the sensitive information accessible from the outside (hae a lack of sufficient secruity) and 2) have it on their servers unencrypted (just because the PCI expects you to send it unecrypted, doesn't mean you can't encrypt it while it's on/in your system)

    To make an analogy: your argument would be the same as: I put a jewelry box in my safety deposit box at a bank and it gets stolen because the bank didn't lock the vault/my safety deposit box and then says it's my fault, not theirs, that someone is using my jewelry, because I didn't lock my jewelry box

    reply to this | link to this | view in thread ]

  14. identicon
    blake, Apr 28th, 2007 @ 11:11am

    About Time

    It's about time someone is forcing retailers to take this issue seriously -- too often consumers are screwed because of the lack of effort on the parts of these companies to protect consumer's information.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Insider Shop - Show Your Support!

Hide this ad »
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Hide this ad »
Recent Stories
Hide this ad »


Email This

This feature is only available to registered users. Register or sign in to use it.