TJX Settlement. More Proof That Security Investment Is <i>Really</i> Hard To Justify

Not that it was needed, but more proof materialized this month that substantial security investments are really hard to justify. TJX announced Sept. 2 what will likely be the last of the settlements of class action lawsuits against it from the data breach of its systems that began in 2005 and which impacted more than 100 million payment cards.

Given the absence of an ROI argument for security investments—after all, no one is truly going to argue that it could boost revenue or profits—the only reason to make such an investment is risk avoidance. But the way criminal and civil laws are created in the U.S., the risks are quite minimal for the large retail chains.

There are no federal, state, county or municipal criminal laws requiring companies to protect personal or payment card data properly. That means that, even if it's established that a retailer did act recklessly with such data—and the evidence introduced at trial against TJX certainly made a good faith effort at establishing just that—no charges can be made against that chain.

That leaves civil courts. But civil courts are fundamentally focused on making someone financially whole. Thanks to zero liability programs from the card brands and many key issuing banks, consumers are generally unable to prove any material financial losses. That pretty much killed the consumer class-action lawsuit.

The only thing left was for the bankers themselves to sue. TJX made an excellent defense, namely that the bankers themselves chose to reissue their cards. Had they simply trusted card brand guidance and done nothing, they would have sustained few if any losses. TJX settled with almost all of the banks late December 2007.

Last Wednesday (Sept. 2), TJX struck quite a bargain and settled with the handful of remaining banks. In settling all charges with four different financial institutions—AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank—TJX agreed to pay $525,000 to be split between the four businesses.

Was that punitive or was that something closer to a nuisance payment for the $19 billion retail chain, operating under the brands of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, Winners, Stylesense and T.K. Maxx? (It sold Bob's Stores to private investors last year.)Punitive would generally mean covering all legal costs plus reimbursing the banks for all out-of-pocket costs and then paying them something to compensate them for the pain of the litigation.

The payment specifically excluded legal fees. According to the statement TJX issued, the settlement didn't even cover all of the banks' out-of-pocket expenses let alone offer anything for their efforts. Oh and it also allowed TJX to say that it "has denied all wrongdoing." The amount was enough that it was already covered in a reserve that TJX took back in the second fiscal quarter of 2007.

TJX has every right to vigorously defend itself and this is a good example of TJX skillfully working the environment it's in. But if retailers are going to be able to justify to their boards meaningful security investments, that environment must change. It certainly doesn't look like zero liability programs are going anywhere, even though that single gesture would likely be the most effective at enabling meaningful security investments.

The state laws enacted thus far—and some weak attempts at federal legislation--aren't going to help. We need laws-civil and criminal that make the risk of being breached while deploying inadequate security so incredibly painful that no board would risk it.

Retailers are businesses and they can't justify investments without the numbers. It's up to society to provide that. Why does McDonald's take tainted meat reports so seriously? I think we can scratch off "fear of the mighty FDA" off the list. It's their fear of devastating lawsuits and consumers immediately and overwhelmingly abandoning their stores.

But with retailers and data security, it's a different story. Zero liability prevents financial losses—thus halting effective civil lawsuits—and, also because of zero liability, consumers have not left TJX or Hannaford or any other breached retailer.

In the criminal cases against the cyberthieves accused of breaking into those chains, among the retailers effortlessly breached—due to weak security, according to the government—were TJX, Hannaford, 7-Eleven, BJ’s Wholesale Club, Boston Market, Sports Authority, Dave & Buster's, Target, J.C. Penney, Office Max, Barnes & Noble, Sports Authority, Forever 21 and DSW. And there is at least one additional major national chain that has yet to be identified. Is anyone seeing any of those losing customers as a result of them being identified as having weak security? Not at all.

Unless the retail industry is prepared to accept these kinds of breaches as the norm—and there many indications that just that kind of acceptance is happening—changes are needed.