TJX: The Unsurpassed Geniuses At Playing Dumb

As I look back at the 10 months of this soap opera known as the TJX data breach—the biggest ever, in case someone forgot—I keep being reminded of a wonderful piece of dialogue in the 1990s TV show, The West Wing.

One of the characters—a White House deputy communications director named Sam Seaborn—was arguing with another character when she told him, "Don't play dumb with me." He replied: "I'm not playing dumb. I really am dumb. Most of the time, I'm playing smart."

The TV joke was that this character truly was smart and was a smart guy playing dumb beneath playing smart. (Shades of Victor/Victoria but let's not go there.) This brings us back to TJX.

Before the breach, TJX was seen as a very smart, very well-positioned $17 billion retailer, sitting atop an especially attractive North American retail niche.

But since the breach--where the credit card data of some 46 million consumers fell into unauthorized hands—the company seemed to have made PR blunder after blunder. And yet, their financial health could hardly be better. Revenue and every key metric has improved since the breach's announcement and the negotiated settlement with consumers suing TJX is likely to be approved and it's extremely favorable to TJX.

When TJX learned of the breach in mid-December and kept silent until mid-January—when it was able to finish its wireless security upgrade—that now seems clever. When it announced that ultra-favorable initial version of the settlement late on a Friday night (after sundown on the eve of Yom Kippur), it even caught the judge unaware. Another coincidence, or were they really trying to bury the news?

When a large number of customer's driver's license data was grabbed in the heist, TJX asked its consumers to get their state motor vehicle departments to put a watch on their licenses. That was a move that would do relatively little to protect the consumer (the critical data—name, home address, sometimes Social Security number, photo, physical description, signature, etc.—would be gone for good and is very difficult to change), but it did have the potential for causing problems for those same consumers. If they're pulled over for a faulty taillight, they will almost certainly be held by authorities to verify their identity.

Recently, in making court arguments for the settlement, attorneys said the vouchers could be sold on EBay and converted into cash that way.

The judge overseeing the case strongly did not like that suggestion: "Too hard for me. These are consumers. People know how to cash checks. Saying 'Go to eBay and negotiate it' won't cut it.""

But the judge wasn't alone. The comment drove crazy several retail security experts, who have been campaigning aggressively to stop retail vouchers for being fraudulently sold on auction sites such as EBay. To have TJX explicitly encourage that, some have said, is mind-boggling.

For the record, the TJX legal fallout from the breach isn't over yet. The consumer settlement still needs to be approved, but that now seems quite likely. A class-action lawsuit against TJX by quite a few banks and other financial institutions is slated for arguments next week.

A U.S. House of Representatives effort to hold hearings has been repeatedly postponed, but if those hearings do happen, there could be federal legislation behind to criminalize weak security when protecting consumer information. And the group of state Attorneys General has yet to release its report and that may have an impact on TJX, although it's not likely.

Has TJX's persistent silence on key details about the breach been based on shrewd legal acumen or the retail marketing reality that "Sticks and Stones may break my bones but consumers couldn't care less about data security."

TJX knew going into this case that they had the much stronger legal position—because no consumers lost meaningful dollars. With the exception of the bank lawsuit, TJX hasn't had any reason to answer nosey security questions.

As for the driver's license and EBay comments, apathy begets apathy.