TJX Defense: Everybody Was Doing It

As the latest TJX saga--the banks versus the retailer—unfolds, I can't help be reminded of driving along a major New York highway. Cars are speeding through every lane. "What are the chances that, with all of these cars speeding, the police will nab me?"

As the legal arguments start to unfold—as they did this week in a Boston federal courtroom—there is little discussion yet about responsibility to protect cardholder data. Most of the TJX defenses seem to be variants of "Everybody was doing it, so why pick on me?" As the state trooper would reply on that New York highway, "Because you got caught."

A major element of this case is proving fraud. To do that, lawyers for the banks are going for a sin by omission approach. By not having told MasterCard, Visa and others that their security was, in the words of U.S. District Court Judge William Young, "antiquated and deficient," it tricked those card companies into letting them continue to accept credit cards.

TJX's response in court was both cynical and regrettably true. To paraphrase: "Oh, come on. Cut me a break. Everyone—and especially Visa and MasterCard—know how terrible the security was at all of the major retailers. So to say now 'we were had' is ludicrous."

Instead of paraphrasing, let's listen to the exact words ofBreck Weigel, one of the attorneys for TJX card processor Fifth Third Bank: "We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI compliant," Weigel said. "So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesn't exist."

Interestingly enough, TJX's attorneys are using the extreme severity of the TJX data breach to argue why TJX shouldn't be punished. In what is widely considered the worst ever data breach reported, the retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006.

One could point to the long duration of the unnoticed databreaches as evidence as somebody being less than attentive to security. But TJX is using that long duration to say that too much changed during that time period.

When it started, PCI was barely real and no one was taking it very seriously. (Are they taking it seriously today? Well, no, but that ruins my point. Stop distracting me with context.) Here's a wonderful line from TJX attorney Richard Batchelder, referring to the PCI Council. They'll "say you're going to have to move to this standard by such and such a date. And so there's this entire period of time when there's a standard out there, but you don't have to comply with it until Visa or MasterCard says you have to comply with it."

TJX's official position is that they ignore the PCI Council Babysitter until Visa Mom or MasterCard Dad get home? Candor is a wonderful gift.

In civil litigation, the vast majority of cases settle out of court. TJX had better hope this one does. If they ever have to face an emotional jury of--*gasp*!—consumers, they may find that trier of fact not nearly so forgiving. Judge's instructions notwithstanding, they may not clear TJX because of the rampant security carelessness of consumer's financial data. They may actually punish them for it. Silly consumers. Don't they know the law?