Let’s look at the events that have occurred with the recent TJX computer hack and resulting privacy breach and identity thefts:
* Sometime in December 2006 TJX Companies Inc. discovered vulnerabilities in their computer systems and networks allowed unauthorized access to their data, including their customers’ personally identifiable information (PII).
* On January 17, 2007, TJX announced its computer network that handles customer transactions for around 2,500 retail stores was hacked into, and PII, including credit, debit, and driver’s license information was stolen.
* On January 22 the Massachusetts Bankers Association (MBA) said that banks must cancel and reissue cards affected by the breach and that the banks that issued the cards, rather than individual consumers, would cover all fraudulent purchases. They indicated that 50 banks of the banks they represent had been contacted by TJX that they knew of.
* On January 24 the MBA said in a press release that fraudulent use of the stolen debit and credit card information from the TJX breach had been reported by banks in Florida, Georgia and Louisiana, as well as overseas. The MBA said that TJX has notified individual banks that credit and debit cards they issued contained information included in the data compromised by the breach, and that banks will be cancelling affected financial cards and contacting customers to provide details on issuing new cards. The MBA told customers that they would be “fully reimbursed if a fraudulent transaction occurs during the unauthorized use of a card with a Visa or MasterCard logo on it.” As of January 24, the MBA reported that 60 of the 205 banks it represents had received such notification from TJX, but that the association expected the number to grow, given the magnitude of the information lost in the breach incident. The MBA stated that it supports the enactment of data breach liability legislation in Massachusetts “that would place the liability for the expenses that banks must bear in the hands of the retailers at fault.” The MBA said that making retailers responsible for such costs hopefully would be “the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank.” The MBA also called on the Massachusetts Legislature to enact a data breach consumer notification law. (Massachusetts is one of the few remaining states that do not have a consumer data breach notification law.)
* On January 25 Florida Attorney General Bill McCollum issued a consumer alert warning state residents who shopped at TJX-owned stores to closely monitor their credit report and financial statements.
* On January 29 AmeriFirst Bank in Alabama bank filed a federal class action lawsuit in Massachusetts against TJX Companies Inc. in an attempt to recover the costs of a breach incident the bank alleged was the result of negligent data security practices by TJX. Fifth Third Bank, the credit transaction processing bank for TJX, is also named as a defendant in the action. A copy of the compliant is located online.
* On January 29 a complaint seeking class action status was filed in federal court in Massachusetts on behalf of all TJX customers in the United States against TJX Companies Inc. for negligently failed to adequately secure its customer information. The single count common law negligence complaint alleges TJX did not comply with the Payment Card Industry Data Security Standard (PCI DSS). The complaint can be found online.
* On January 29 TJX issued a message on their website to their customers about the breach stating that the company hired two outside contractors to investigate the breach incident as soon as it was discovered in December 2006, and that the company has instituted new data security measures since then. It indicated TJX is engaged in an effort to assure its customers that it has undertaken effective remedial steps to correct the flaws in its computer network exposed by the data breach and to mitigate the impact on consumers of the theft of the financial and personal data.
* On January 30 (and perhaps other dates) Rep. Edward Markey from Massachusetts, and on the House Committee that oversees the FTC, made the news in many places indicating he wants the Federal Trade Commission to investigate how the breach happened.
The AmeriFirst complaint claims negligence (TJX did not meet their duty to protect PII in their possession), breach of contract (AmeriFirst and other banks are third-party beneficiaries of contracts requiring PCI DSS compliance between TJX and the major credit card companies that required them to adequately protect financial and personal information), and negligence per se (the defendants failed to adhere to the financial institutions customer records privacy and data security safeguards rule of the Gramm-Leach-Bliley Act (GLBA)).
While GLBA does not provide for an individual right of action to directly enforce the Safeguards Rule, the AmeriFirst complaint did not make such a direct claim, but referenced the defendants’ alleged failure to follow the Safeguards Rule as the grounds for a negligence per se claim.
AmeriFirst has identified at least 150 of their customers with credit or debit cards compromised by the TJX breach. The cost is approximately $20 to replace each compromised cards; or around $3000 so far.
There are so many lessons to learn from this incident and how it has been handled. Just a few include:
* Information security is necessary for business success as well as to protect customer privacy.
* Just one incident can not only lose the public trust, but also the trust of customers, and may in turn result in the loss of a significant number of customers.
* Information security and privacy protections must be built into all computer systems, networks and applications, from the the beginning planning stages right through to the retirement stage.
* Encrypt sensitive data such as PII not only while it is in transit, but also in storage.
* Every business must have a well documented and tested information security and privacy breach incident response and notification plan.
* Organizations must communicate clearly and honestly with the impacted individuals as soon as possible following a privacy breach, and make information about the breach easy to find. Be sincere in the information communicated, and send it from the highest business leader possible. Don’t try to minimize the incident or be condescending to the individuals whose PII was compromised.
* While PCI DSS is not a “law,” per se, it is a standard that organizations that do credit card processing must follow or wind up in very hot water and lawsuits following a breach.
* Noncompliance with data protection laws and regulations, as well as industry standards, will increasingly become the basis for lawsuits.
Tags: awareness and training, customer privacy, FTC, GLBA, government, identity theft, Information Security, IT compliance, PCI, personal privacy, policies and procedures, privacy, privacy incident, privacy law