The TJX lesson: If your security stinks you may be liable
The lawsuit swirling around the TJX data breach is getting interesting. The most interesting development: The banks suing TJX are arguing that the retailer should be liable because of lax security practices.
Previously, banks and the credit card issuers were on the hook for data breach losses at retailers. If the banks, which are seeking to add TJX's lax security practices as part of their complaint, win this argument it's a game changer as it'll force retailers to take data security seriously. Retailers allegedly take security seriously now, but the ROI for being proactive is a bit murky. Data breach occurs, retailers offer free credit report screening, may take a slight stock hit and go about their business.
What's odd is that TJX has already settled the class action suit pending court approval. TJX also set aside $107 million to cover the bill.
But what may make this TJX suit more notable is precedent. If retailers become liable there's a better case to beef up security. Court documents filed Thursday on behalf of the Massachusetts Bankers Association, Connecticut Bankers Association, Amerifirst Bank and others indicate that the actual number of breaches may be much larger than TJX's 45.7 million tally. The banks argue the figure is closer to 100 million. Both sides are sticking with their respective numbers.
Here's the gist of what the banks are arguing. They are seeking to prove that TJX caused the breaches by leaving itself so open to attack.
Among the key points (see PDF No. 1 and No. 2):
- TJX had many "high level deficiencies" in its security practices.
- TJX failed to configure its wireless network, didn't segment cardholder data, didn't have an IT department "properly tasked to manage the environment used to store, process or transmit cardholder data," failed to patch correctly, used easy passwords and botched antivirus and intrusion detection.
- TJX knew its wireless network was insufficient and failed to protect customer data.
- The data breach impacted more than 100 million credit and debit card numbers.
Many of those aforementioned points have been raised by George Ou in previous posts. The difference now: TJX--and other retailers by proxy--may have more than their reputation in the game of data security.