But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C., and Puerto Rico, kept its identity secret. No more, though, and that's the way Woodlock wanted it.
For those keeping track, every reference in the indictment that came out of New Jersey about "Company A" was really talking about JCPenney and every reference to "Company B" was shorthand for Wet Seal, according to Jarrett Lovett, Woodlock's deputy clerk.
JCPenney attorney Michael Ricciuti, in Boston federal court on March 26, argued that privacy laws should protect the two chains. Woodlock disagreed.
"What we have here is Company A and Company B being at least vulnerable to SQL injection attacks and successful ones. Now, they just did not turn out to be ones in which, apparently, some consumer funds were taken. Company A and Company B can say, 'We have taken the steps that are necessary to protect us from SQL injections in the future. There was no harm to any customer,'" the judge said. "But it seems to me that this awkward kind of insulation from transparency for a corporation as opposed to, say, a human victim, seems odd to me in light of the fact that there is no privacy right."
(For a detailed look at what Gonzalez's crew did to both JCPenney and Wet Seal and to hear from JCPenney and the CIO of one of other victim chains, see JCPenney’s Breach: Differences From Feds, Gonzalez, JCPenney Itself")
JCPenney's Ricciuti also argued that some retailers might not cooperate with government federal criminal investigations if they aren't guaranteed confidentiality. The judge didn't take kindly to that argument.
"You mean to tell me that Company A and Company B would not cooperate with the Government if faced with something like this? I cannot imagine that they would take that as a corporate policy or even suggest that as a corporate policy. Of course they are going to cooperate. There is no incentive that is needed here," he said, before tweaking the attorney that there is sometimes special treatment. After the two retailers were given confidentiality in Camden, N.J., Woodluck said: "There is, apparently, a benefit that is available, at least for some people, in the District of New Jersey, but it is not necessarily available here."
Undaunted, Ricciuti continued his argument. "I think if there is a notion that whenever you cooperate with the Government, you should expect that there is no protection for your identity, that is a huge disincentive for corporations to cooperate," he said. "They will go to private sources to seal up their breaches and never disclose [them] to the Government and potentially leave consumers at risk. That is a very damaging policy."The judge sought to clarify the background. "That may be so. That is certainly something the Government would have to consider. But here I do not think it was a matter of Company A and Company B coming forward. This was a matter of Company A and Company B being identified as entities whose computer systems were breached," the judge said. "So, we need not, I think, worry about how stouthearted corporations are going to be about coming forward. And the government has to make that calculation all the time in dealing with potential cooperators. I do have some considerable difficulty shedding a tear for a corporation."
JCPenney's counsel said the situation would have been different had the chain known from the beginning that secrecy wasn't going to be maintained. The judge retorted: "So they could have taken steps to avoid and impede the government's investigation?"
"No, but they could have certainly taken steps to make public disclosure on their own terms in their own way so that," Ricciuti said, "to the extent there was going to be any public disclosure, they could at least alert the shareholding public who might be alarmed and concerned that there is not cause for alarm."
The court was not mollified. "They have had three years to alert their shareholding public about problems with their security. They have chosen not to, relying, improvidently, on a protective order," Judge Woodlock said. "But, frankly, I guess it is their choice, and they made it. Now it is my choice to deal with whether or not there should be disclosure of such an entity, and I cannot say that I have found this [argument] compelling at this point."
Ricciuti then made the quintessential corporate argument. "The shareholders, the pension plans, the folks that own the stocks of these companies now will pay a price for the company relying on the Government," he said.
"What do you mean 'pay a price'? That the stock will go down?" asked the judge. "I guess, then, it is the choices they made about how transparent they were with their shareholders, with the market, generally, about their exposure. Others of these entities made disclosure fairly promptly about it."
Added his Honor: "Does it make any sense, under these circumstances, to keep from disclosure the identity of a corporation which has had its information technology systems breached, another way of saying that they were vulnerable to breach? Some corporations get special privileges. They get not to be identified."
At one point in the back-and-forth, JCPenney's attorney said that he had agreed with an Assistant U.S. Attorney on one issue that the judge saw differently.
"Well, that makes two of you, then," shot back the judge, before reminding him who was in charge. "But there is a third: the Court. It is a little bit like Lincoln's Cabinet. When they took votes, Lincoln would ask and the vote would come back five to one, with Lincoln being the one. And he would say, 'Five to one. The ones have it.'"
After he ordered the names to be unsealed, Woodlock cited from a favorite poem. "The Oklahoma Ligno and Lithograph Company weeps at a nude by Michelangelo," the judge read to those attending the hearing. "It is so absurd to suggest that there is this anthropomorphic quality to corporations and that they are entitled to some special benefits as to leave it open to spoof by poets."
Back in November, another attorney for JCPenney asked the judge to protect the company's "dignity, " phrasing that might have set his Honor off.
The government's case had been beforehand, in written memos. "In the case of computer attacks such as the one charged here, the argument for this is undeniably strongest when people's credit or debit card numbers are known, with certainty, to have been stolen from a corporation," said Assistant U.S. Attorney Stephen Heymann. "However, it is only marginally less so when people's credit or debit card numbers are put at risk by the failure of a corporation's protective system. When a fraud or Internet attack has compromised a corporation's security system and potentially put customers' credit or debit card numbers at risk, it is far fairer for their customers to evaluate that risk on a fair presentation of the facts than for the corporation, alone, to be told of the intrusion by the government."
Added Heymann: "Most people want to know when their credit or debit card numbers have been put at risk, not simply, if and after they have clearly been stolen. Knowing that card holders will be concerned that their credit or debit information has been put at risk, if they know it, provides an incentive to companies to invest in the protections their customers want. Transparency makes the market work in this area."