The data breach case of $16 billion retailer TJX is crawling along, with this week delivering to us a handful of pseudo-developments. Those are things that sound like information, but examined closely tell us little new.
The Federal Trade Commission, for example, confirmed that it has been investigating TJX, but wouldn't say what it has found nor when it started. This would only be news to someone who thought the FTC would not have investigated and that pretty much rules out anyone who understands Washington's CYA mentality.
Yes, the FTC will make some inquiries, take many months to mull it over and then quietly issue a fine that is near the top of their penalties, which is also coincidentally just shy of what TJX would consider a rounding error. Oh, and the FTC investigation's details won't be published, probably under national security headings because it could help Al Qaeda attack the U.S. credit card business. (Snicker now, but just wait and see how close the FTC comes to that wording in six months.)
Ahhhhh, but this country has checks and balances, no? The new majority in the U.S. House of Representatives has pledged to act and act quickly. We're now told by House staffers that the Energy and Commerce Committee is going to leap into action with hearings in "mid-to-late May" about a proposed data security bill.
Great! So that's when congressional testimony will reveal the specifics of what happened with TJX, so the rest of the industry can protect itself, right? Well, actually, no. The FTC probe is giving Congress political cover to not investigate TJX, but the hearings will have lots of witnesses to say that data security really needs a lot of work. And money. Don't forget the money.
Maybe, say the congressional aides, the committee will truly investigate TJX when the FTC probe is over.
Wait. All hope is not lost. What about all of those class-action lawsuits? Surely those depositions will start shedding light? Don't bet on it. It's going to take quite a few months before any of those depositions will be taken and, even then, lawyers will want to keep those details quiet until they can negotiate juicy settlements with TJX.
Why? There's only thing TJX fears more than letting this case get to a jury: letting the full details get to its customers and investors. A last-minute settlement?with a hush clause?is quite likely. To not lose their leverage, lawyers will likely sit on those details as though they're the crown jewels.
What of our state governments? They're certainly above political or monetary considerations, right? The multi-state attorney general probe is proceeding, but details coming out are few. We did learn this week some of the not-yet-released states that are participating and that it does appear to be about 34 states involved.
Beyond Massachusetts (who is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so it's not really a state. Sue me); Hawaii (Probe 'em, Danno); Illinois; Maine; Maryland; Michigan; Mississippi; Missouri; Montana; Nebraska; Nevada; New Hampshire; New Jersey; New Mexico; North Carolina; North Dakota; Ohio; Oklahoma; Oregon; Pennsylvania (which many years ago proved its insightfulness by grabbing the only "attornegeneral.gov" domain. Everyone else has to add state initials to their domain); South Dakota; Tennessee; Texas; and Vermont.
The Massachusetts case is apparently being run with the help of an all-volunteer executive committee, including representatives from the AG offices from Pennsylvania, Vermont, New Jersey, Arizona, Oregon, Ohio, Florida, Illinois and California.
Those states participating on the executive committee, one source said, often get a shot at additional money for their states. That's part of the problem. The states have an incentive to negotiate financial arrangements to get money back to state residents, but little incentive to publicly detail the security procedure lapses that caused the breach to happen and, much more importantly, the disclosure of which might prevent similar ones from happening.