More On TJX, Data Breach and Federal Trade Commission

Credit Card Security Law


Data Security Compromise Regulation


I argue FTC concluded its investigation of TJX wrongly. Which provoked this comment:
You state "Both TJX and Hannaford were informed, aware, thinking and making good-faith judgment calls using the technology of the day." What evidence do you have to back that statement? Everything that I have seen in the press implies that TJX was taking the calculated risk of saving the security expenditures, and lost that gamble. In that light, the actions of the FTC seem more reasonable.

Ben's reply: I agree TJX "took a calculated risk of saving the security expenditures, and lost that gamble". In order to take a calculated risk, you have to be informed about the risk.

Thus, point number 1: TJX was not ignorant of the issues.
Click Here

Point number 2: TJX acted in good faith.

What does "good faith" mean? It means (a) you hire qualified professionals to honestly look at your security issues, (b) you deliberate about your issues, and (c) you make and implement decisions – without (d) the desire or intent for credit cards to be stolen. TJX did exactly that. It did have qualified IT professionals. They debated in e-mail topics like whether WEP encryption is enough. TJX’s e-mail traffic about WEP is evidence of deliberation. And, I'll bet TJX (a large publicly-owned company) did not desire or intend for the criminals to break in. I have seen nothing in the press that TJX wanted or encouraged a break-in.

Point 3: TJX had a considerable amount of security; the security just was not enough to defeat the high-powered organized crime machine that hit. TJX's security was much greater than zero.

How Much Security is Enough?

To which, my commenter says:
I have not seen or heard of any evidence that TJX did or did not have either a considerable amount of security or any security at all. Is there any evidence in the public domain to support your assertion?

Ben’s reply: if TJX had no security at all, then thousands of unskilled, disorganized criminals of all descriptions would have descended on the company (by thousands of different channels) and stolen the company's data over and over and over again. That is not what happened. TJX had many elements and layers of security.

For example, it used WEP encryption to protect wireless in stores. I realize WEP is not perfect; perfect security does not exist. But WEP is more than zero.

Further, TJX implemented a process to upgrade from WEP to the stronger WPA encryption throughout its system, starting October 2005. The fact that the merchant even knew it needed to upgrade, and then it started implementing the upgrade, is evidence that TJX had a security program.

The FTC criticized TJX for having weak passwords. Implication: TJX did use passwords. Passwords are a security measure. FTC just believes the password practices were not strong enough. (Note: some security experts will argue that even the password practices the FTC advocates are woefully inadequate security. Which raises a question for the FTC to ponder: Would a merchant would violate FTC law if the merchant implemented the password security practices advocated by the FTC, given that some respected experts will say those practices are inadequate?)

According to the Wall Street Journal, TJX’s criminal assailants had to work very hard and systematically over an extended period of time. The assailants were obviously more talented and capable than a couple teenagers working over a weekend. Implication: TJX's layers of security were not easy to defeat.

Further, the assailants had to train some kind of telescope antenna on a store from a distance in order break into the wireless. (Joseph Pereira, “How Credit-Card Data Went Out the Wireless Door,” Wall Street Journal, May 4, 2007, A1). The implication: TJX had physical security. It would not let just any bum walk into a store and start physically messing around with computers.

I am confident a complete report on TJX would show it had many security measures. March 28, 2007, TJX filed a 10-K with the SEC saying or implying it had (during time of the break-in) many security layers (including liberal use of encryption), many of which the patient criminals eventually defeated.

Punishing Honest, Good Faith Mistakes

Did TJX make mistakes? Probably so. But they were honest mistakes. Legally speaking, an honest mistake should not be “unfair” as the FTC claims.

If the FTC is serious about punishing honest mistakes, then to be consistent, it must get much more deeply involved in the topic of credit card security. The whole credit card system is rife with honest mistakes. Why doesn’t the FTC investigate credit card systems as whole systems? Where is it written that credit cards, as presently designed, could not be improved from a security perspective? Criminals defeat the credit card systems every day. Why, therefore, are the systems not "unfair" by the FTC's standard?

The National Retail Federation advocates that the credit card system be changed so that transactions require PINs. PINs would reduce credit card abuse. Why, therefore, doesn't the FTC open an investigation into whether the failure to require PINS constitutes "unfairness" to consumers?

What purpose does the FTC serve by singling out TJX when other components in the credit card system are equally if not more weak?

FTC implies that if TJX will just implement a bunch of PCI-style controls (and submit a bunch of paperwork to the government), then TJX’s unfairness will be remedied. But the fundamental problem will remain at TJX and other retailers. A serious school of thought says PCI is not enough to defeat professional criminals.

(Update: Joel F. Brenner, the top US counterintelligence officer say, "Pretty small but intelligent criminal organizations all pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago." Gorman, "Credit Card Fraud Found in Europe," Wall St. Journal, Oct. 11-12, 2008. Criminals are embedding snooping devices into point of sale card readers.)

FTC's action is out of touch with the genuine security problems facing credit cards.

Perfect security cannot be achieved in a merchant's IT system at an economically acceptable cost. For a business as complex as TJX, it will always be true that even after you implement a lot of security, it might not be enough. The only way for a big retailer to eliminate credit card security risk is to either shut down or spend an insane amount of money on security. All retailers, therefore, must take calculated risks.

Point number 4: To take a calculated risk is good, not bad! The FTC is wrong to punish merchants that take calculated risks.

FTC is attempting to serve the public’s best interest. But the agency made an honest mistake. It needs to rethink the legal concept of “unfairness” with respect to credit cards, and it needs to rescind its TJX settlement.

For more on this, see my earlier article on FTC and TJX.

Update: I explain how August 2008 indictments of TJX hackers put FTC's treatment of TJX into perspective.

Update March 2009: National Retail Association argues that the PCI is ploy to shift risk from banks and card companies and onto the shoulders of others such as retailers.

--
Mr. Wright teaches the law of data security and investigations at the SANS Institute.