The Fatally Flawed Assumptions In The Gonzalez Case
As attorneys and retailers argued recently about the sentencing and secrecy of Albert Gonzalez's criminal empire, various fundamental retail realities were forgotten.
Consider, for example, arguments on both sides that JCPenney and Wet Seal would have their stock prices seriously hurt if word of their involvement leaked out. The federal judge overseeing that discussion said any stock impact would be from the retailers' own doing, but he neglected to point out that there is absolutely no reason to believe there will be any stock impact.
When JCPenney's lawyer made that argument, the judge should have said, "OK. Well, the names of TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven have already been identified as victims. Show me what kind of stock impact any of them had, limiting it, of course, to stock changes that related to the breach disclosure." Hint: none of those chains suffered any breach-disclosure-related stock (or, for that matter, revenue) impact.
TJX specifically felt compelled to note in a federal filing last month that it suffered zero stock impact as a result of the breach disclosure. But that shouldn't be a surprise; none of the victims has reported any—not even a little—revenue drops. This point brings us to the next logic disconnect.
(Related story: JCPenney’s Breach: Differences From Feds, Gonzalez, JCPenney Itself)
JCPenney Attorney Michael Ricciuti argued in a federal filing that disclosing his client's name "would only cause financial harm to the company, alarm customers needlessly." That's a good argument, were it not for that fact that it's ridiculous. The assumption that such a disclosure could cause financial harm and alarm customers is based on the belief that consumers care in any way about retail security.
If TJX and Hannaford—and the others—have taught us nothing else, they've established the seemingly limitless depth of American consumer apathy regarding retail security. First, consumers aren't paying any attention. But if they did, they wouldn't care, thanks to the card brands' zero-liability program. That's why no meaningful consumer financial losses have been reported in any of these breaches.
From JCPenney Attorney Kevin Walsh, in another filing: "Consumer confidence in the security of JCPenney's computer systems is almost as important as the reality of that security." There's a lot of truth in that statement. But it skates over the fact that "consumer confidence" is predicated on consumers giving a flying magstripe in the first place.
So much for consumer apathy. Let's move on to retailer cynicism. Here's a comment from Assistant U.S. Attorney Stephen Heymann, in a letter to U.S. District Court Judge Douglas P. Woodlock: "Knowing that card holders will be concerned that their credit or debit information has been put at risk, if they know it, provides an incentive to companies to invest in the protections their customers want. Transparency makes the market work in this area."
Beyond the fact that consumer apathy undermines the logical premise of Heymann's comment, retailer cynicism now plays a very key role. Premise One: No system, regardless of how well-funded, is bulletproof. Premise Two: In this weak economic climate, the only things that matter are boosting profits, revenue and marketshare, in that order. Premise Three: Putting in more sophisticated encryption is not going to change Premises One or Two.
But is the threat of being revealed to a public who is more interested in American Idol rankings than in whether their local supermarket is selling their debit card data on the black market such a scary thing?
As a practical matter, retailers will do what PCI requires them to do and probably not a heck of a lot more than that. Show me a board that will insist their company do materially more and I'll buy lunch for you and 100 of your closest friends.
Another valid argument is that there was never much reason for either JCPenney or Wet Seal to have fought the case. Given the laundry list of retail victims, this breach really doesn't reflect especially poorly on any one. Yes, there is strength in numbers. Or, more appropriately here, there's insecurity in numbers.
The CIO of one of the largest of the breached retailers—who asked that neither his name nor his chain be identified—said he was thrilled when JCPenney joined his merry band of victims. "My interest is to demonstrate that the problem was actually quite pervasive, that it wasn't just TJX and 7-Eleven that screwed up and had poorly secured data," the CIO said. "It was much more of an industry-wide circumstance. JCPenney legitimizes that argument. It's much better to be part of a bigger crowd. If Wal-Mart could be on the list, even better."
Two related notes: JCPenney did aggressively try and keep its name out of the public dockets, but it didn't deny that it was the retailer, at least to the best of our ability to determine. Although others made such denials, we can't trace any to the chain itself. No one can prove a negative, but it looks like JCPenney was shooting straight.
Speaking of shooting straight, when the federal filings were unsealed Monday (March 29), we here at StorefrontBacktalk were blushing. Two stories covering the case had been introduced as evidence: one from JCPenney and the other from the Justice Department. Both stories came from us.
As long as we're blushing, let's place this under the heading of "You Read It Here First And You Probably Will Always Read It Here First." We've been pushing coverage of the Gonzalez case since the earliest reports of the TJX break-in. We were the first publication to report on the unidentified retailer in the Massachusetts indictment, back in August 2008.
We were also the first media outlet to report that Target was the unidentified retailer from Massachusetts and that JCPenney was the unidentified retailer from New Jersey back in August of last year, some five months before Target fessed up. And then last week, we reported the identity of Wet Seal and the court's confirmation of JCPenney more than three before days anyone else could confirm it.
We don't know what other surprises retail technology and E-Commerce will deliver next week and every week thereafter, but we'll do everything we can to continue delivering it to you first. End of commercial.