BreachExchange mailing list archives
Off-topic: TJX perspective
From: Al Mac Wheel <macwheel99 () wowway com>
Date: Thu, 27 Dec 2007 09:03:35 -0600
"Did TJX do what was reasonable and appropriate at the time it did it?" As they discovered they had various problems, did they take prudent steps, that we should expect of any organization in same situation? http://www.eweek.com/article2/0,1895,2240150,00.asp?kc=EWKNLRET122707FEA1 [...] The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn't anything on the books in any state or the federal government that requires that. Some industry effortsmost notably the PCI DSS (Payment Card Industry's Data Security Standard)seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment. [..] One of TJX's defenses has been that its security wasn't materially worse than any other retailer of similar size. Sadly, it's a true point. [..] (I'm still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions. [..] Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). [..] TJX theorizedcorrectlythat any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did. - Al Mac _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Off-topic: TJX perspective Al Mac Wheel (Dec 27)