Shostack + Friends Blog Archive


Evan Schuman: TJX gets the BB gun

Not much naughtier than other retailers:

I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I’d give it a pass.
TJX theorized—correctly—that any breach wouldn’t cause any impact on sales, as consumers (protected by the card brands’ zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.

eWeek, 2007-12-24
“Justified” in the last quoted sentence means “justified to shareholders”.
There’s gotta be a dissertation out there about herd behavior in the face of the inability to measure the effect of behaviors on outcomes. It explains way more than I wish it did about infosec resource allocation decisions.
Pic via The Daisy Museum (in downtown Rogers, Arkansas).

4 comments on "Evan Schuman: TJX gets the BB gun"

  • Evan Schuman says:

    The column you mention was painful but it was also practical. (At least that’s how it was intended.) Publicly-held businesses have rules they have to follow. This is more of an ethics issue. Should a company do what is right for society even if it means weaking the company, reducing profits, losing marketshare?
    The answer for most businesses is “Yes, but only to a certain point.” I think TJX’s initial conduct was exactly that. “Yes to a certain point.” And that certain point was quite limited.
    But any investment needs to be cost-justified, especially with a publicly-held company. If they don’t, their shareholders have a perfect right to sue and THAT lawsuit stands a very good chance of success.
    Ultimately, this comes down to consumers. If they actually stop buying from retailers who treat their confidential data recklessly, retailers will quickly change their approach. But as long as consumers don’t seem to care (they tell surveyers they care, but their actions show an opposite reality), it’s hard for anyone to justify doing much. It’s sad, but true.

  • Chris says:

    Evan: I think you made your point very well, and very clearly.
    The thing is, it is hard to show that any level of expenditure is cost-justified. That is, within broad bounds, any value is as (in)defensible as another. My sense is that this is where the herding behavior comes in, but I haven’t looked into the economics of this enough to say much more than that.
    In addition to consumers, I think your editorial was right to say that it also can come down to government. Sure, if everybody votes with their feet things will change. They can also change by legislative fiat. While this may seem to be too strong a medicine in the U.S., look how a handful of breaches in the U.K. has led to calls for a heavier government hand. It’s an interesting contrasting approach to the same basic issue. I’m sure 2008 will be an interesting time, and I’m looking forward to your coverage of the retail world even more than I did this year.

  • PHB says:

    Its not such a good strategy for shareholders. Visa and Mastercard both levy a $50 or so fee per card when details are disclosed.
    May take them some time to collect but it is a multi-million dollar liability that has to be carried in the accounts.

  • DAG says:

    There are several problems with this picture.
    1. Cardholders have zero liability. So when coldly considered where is the incentive to vote with your feet? And it seems no one is voting with their feet. This may explain surveyed opinion versus observed behaviour.
    2. The card companies threaten $50/card fines. But TJX settled with Visa US for $41 million. While we haven’t heard about non-US Visa regions, or Mastercard yet, Visa cards were supposed to be about 2/3 of the compromised cards. That suggests only 8 Million actual Visa cards were compromised. What about the reported 22, 44, or 98 million? Where is $1, 2 or 5 billion fine? Either the number of compromised cards is much smaller or the per card fine is much lower. If the card Issuers are out this kind of cost, are they not covering costs from this settlement?
    So ask yourself how is this going to change the next time around?

Comments are closed.