Do State Data Probes Have The Right Priorities?

In the roughly three weeks since $16 billion retail chain TJX announced it had suffered a major data breach, there has been no shortage of people eager to jump on the "beat up the security victim" bandwagon.

Of course, TJX seems to have gone out of its way to invite abuse, whether by sitting on the news for a month, refusing to pay for their customers who want to check their credit repeatedly, opting to not reveal virtually any details of the breach and hiring a company with little retail experience and virtually no retail security reputation to investigate the breach.

But that's only what TJX has done since making the discovery in mid-December. (For the purpose of this argument, I am going to assume that the company?as it's announced?didn't discover the breach until mid-December, despite unconfirmed rumors that some company employees knew of it earlier.) The most disturbing elements of this story occurred before December. The breach (we won't say breakin because it might have been an IT employee doing this internally, for all of the incident details TJX has released) reportedly happened as early as mid-May 2006 and was only discovered in mid-December. This raises lots of questions about the level of security the company had in place at the time, how well it protected confidential customer data (encryption and retention issues) and how could it have possibly been unaware of this large a breach for seven months. The question of how it was finally discovered may shed a little light on that.

So please don't get me wrong when I say that a lot of groups?from congressional investigators, federal agencies, class-action lawsuit attorneys, banking associations and state attorney generals?have been eager to throw a punch or two.

The head of the Massachusetts Bankers Association went so far as question whether TJX is a victim at all. ?We think it?s a little odd that (TJX) would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,? said MBA President Daniel Forte.

But of all of those groups, the ones that seem to be taking the lead in independent investigation of this incident are state attorney generals. (Note to readers and to the copydesk: Many years ago, I had a city desk editor drum into me that the correct plural form of "attorney general" is "attorneys general." This is one of these times where I think "grammatical correctness" needs to be trumped by "it sounds too weird.")

On Wednesday, more than 30 of those states said they would support Massachusetts' attorney general taking the lead in the probe. But at least one of the states not participating?for the moment?is Rhode Island. Rhode Island had already launched its own probe and it wants to continue going its own route.

The problem is that state-level justice departments often have very different goals. From time to time, there are exceptions. New York's recently-promoted attorney general, Eliot Spitzer (now governor), enjoyed righting wrongs and accomplishing change that the feds should be doing, but usually don't.

In this case, though, the states in the Massachusetts group seem to be focusing on helping consumers with credit reports and credit repair. Theoretically, the banks will cover the consumers' actual losses from fraudulent transactions and identity theft. So their only loss is paying to watch their credit and then paying to fix it.

The hard-dollar cost of the monitoring and the repair is relatively minor (typically less than $50 per consumer and sometimes much less), although if indeed there are millions of consumer victims, even a small per-consumer amount could quickly become non-trivial. The bigger issue is compensating consumers for the many hours it takes?often spent on hold?to repair those credits. The states are looking at the possibility of forcing the retailer to pay for professionals to clean up the credit records on the consumers' behalf.

But the bigger issues, the ones that might actually address the root cause and make it less likely to repeat, are often glossed over. In the largest credit-card information breach to date?CardSystems, which may yet have to surrender that title to TJX?the company was punished by the market only after a congressional hearing forced all of the details to come out.

The only way to truly improve retail security is to make the punishment so severe that no retailer would ever dare skimp on protection or be flexible about policy-adherence. Retail IT execs are watching the TJX case very closely as are their bosses.

If massive retail chain company TJX is seriously bloodied, you're going to start seeing this tidal wave of security purchases from retailers in every segment. If TJX gets away with a slap on the wrist, every CFO who ever pushed back on a security investment request is going to feel vindicated.

At best, security investments are gambles. Statistically, most sites are not going to get seriously penetrated that often. Of those that are penetrated, most of those incidents will never get disclosed. Of the few that get disclosed, most will get minimal media attention and will quickly go away. It's the tiny percentage that get publicity that is the wildcard. The odds are against any retailer falling into that category, but, clearly, some will.

Does a CFO choose to hit a hard 17, to draw to an inside straight? Professional burglars know that, if they do their job properly, they won't likely get caught. The only deterrence is that if they somehow are caught, the prison sentence is so severe that they won't take the chance.

Are the states going to focus on what went wrong? Will criminal options?which at least one state is considering?be seriously explored? Will the states make full public disclosure of all that is learned, other than the sanitization of a few details that wouldn't help the public but would help criminals? Will the hard questions about PCI compliance get asked?

The state AG offices could indeed go that route. But is it likely? Take Massachusetts AG, for example. As of January 2006, TJX employed about 119,000 people, a healthy percentage of them based in Massachusetts.

The AG office there has a wonderful reputation of prosecuting many state residents and businesses. But in this kind of probe, the state can negotiate payments for consumers and be seen as tough. Why push it and force the retailer to disclose security methods and what they did wrong?

I hope the states do push the envelope and force full disclosure and make every other retailer tremble in their boots at the prospect of being in the same position. The investigators with Rhode Island's attorney general probe seem open to being quite aggressive. But this would be a role better suited to the feds. Any takers?