TJX is learning that the trickling out of bad news is a great way to keep a negative story alive and to send distrust as high as possible. Remember that mid-December unauthorized access that it didn't report until mid-January? Turns out it had taken place almost seven months earlier, back in May 2006. I guess they wanted to make sure the thieves had plenty of time before the public was alerted.
"We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred," TJX spokeswoman Debra McConnell was quoted as saying in a Computerworld story.
Meanwhile, in Pennsylvania, regulators there have decided that the credit card theft was, ironically, too big to require consumer disclosure. "Under a new state law that took effect in June, businesses are required to notify Pennsylvania consumers by letter, telephone or e-mail if sensitive personal data is lost or stolen, exposing them to the risk of identity theft," reported the Pittsburgh Post-Gazette. "But the AG's office, which enforces the statute, said yesterday that personal notice is not required if more than 175,000 consumers are involved or if the cost of notification would exceed $100,000."