FTC treats TJX Unfairly . . . Compare Hannaford & Okemo

Is PCI Non-Compliance Legally Wrong?

What is Reasonable Computer Security for Credit Card Data?

The Federal Trade Commission should rethink the law of credit card data security applicable to merchants like TJX. As a consequence of the data security breach TJX disclosed in 2007, TJX and the FTC entered a settlement requiring TJX for the next 20 years to engage in an expensive, government-supervised data security program. The program entails the maintenance of controls and extensive paperwork reporting about those controls to the FTC.

According to FTC, the grounds for its action against the retailer were that TJX had engaged in "unfair practices" in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).

The "unfairness," according to the FTC, was that TJX collected private credit card information from consumers, but failed to use adequate security procedures to protect it. This resulted in compromise of tens of millions of credit card accounts. By declaring that TJX was "unfair," FTC implied TJX had been bad. In other words, FTC found the TJX incident was worse than just unfortunate or embarrassing. It was the result of punishable culpability by TJX.

Note what the FTC did not allege about TJX. The FTC did not allege TJX engaged in a "deceptive trade practice" in violation of Section 5(a) of the FTC Act. An example of deception is for an enterprise (like ChoicePoint) to tell individuals it will secure their data, and then fail to do so.

Further, the FTC did not allege TJX was utterly inattentive to security. The FTC essentially said TJX was unfair because it was not secure enough . . . not secure enough to defeat the sophisticated criminal organization that broke into it. And the FTC said the remedy for this unfairness is that TJX should implement security controls, more or less like the PCI-DSS (Payment Card Industry Data Security Standard). The implication: if a merchant follows the PCI, then it has achieved "fairness."

Compare what FTC just said to TJX, with what happened at retailer Hannaford. Hannaford announced that 4.2 million credit card numbers were stolen from it, but Hannaford says it was PCI compliant during the time in question! Apparently the hackers tapped fiber-optic cable that "security experts had believed was secure."

Further, Okemo Mountain Resort, a Vermont merchant, says it complied with PCI, but was still broken into. Pereira, "Credit Card Security Falters," WSJ, Apr 29, 08.

The Hannaford and Okemo experiences suggest PCI compliance is not enough to defeat the talented criminal gangs assaulting the credit card system today. In other words, compliance with controls like those FTC imposed on TJX is not enough to protect credit card data.

The reality may be that it is impractical for merchants to protect credit card data from the criminals who broke into TJX and Hannaford and Okemo. If that is true, then TJX did not engage in unfairness. It was a victim of criminals who are swiftly becoming more powerful.

In essence FTC said TJX was an unfair bad guy because it could not keep up with the hackers. But by that standard, is not the entire credit card system "unfair?" Instead of picking on particular players like TJX, why doesn't FTC investigate the credit card systems as a whole (Visa, Mastercard, American Express et al.) and probe whether credit cards are inherently "unfair" to consumers because criminals can defeat the systems? Why doesn't FTC require each of the systems to devise better designs and controls so consumers are no longer subjected to the "unfairness" of the systems as presently designed? (See this post on alternative ways to authenticate credit card users and transactions.)

My point is that TJX was not "unfair." It was unlucky. Its defenses were similar to that of many (most) of its peers at the time. They too would have fallen had they been subjected to the same criminal blitzkrieg. And during the time in question, the PCI was vague, reltively new and subject to wide interpretation and debate. (It still is.) The same is true for the controls FTC just imposed on TJX.

FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the "unfairness" "bad guy" rhetoric, FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with PCI and similar controls), then credit cards will be safe. That"s wrong.

The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.

(I have posted more remarks on TJX and FTC.)

Update: I explain how August 2008 indictments of TJX hackers put FTC's treatment of TJX into perspective.

Update: Many of TJX's peers did, apparently, fall victim to the same blitzkrieg as TJX. Prosecutors say the gang that broke into TJX also broke into 8 other large retailers, though some of those retailers cannot confirm their defenses were breached. Pereira et al., "Some Stores Quiet Over Card Breach," WSJ, Aug 11, 08, B1.

Further Update: September 2008 prosecutors say the TJX hackers broke into "numerous other businesses" in addition to the 8 previously disclosed. Ross Kerber, "Hacker pleads guilty in breach," Boston Globe, Sept. 12, 2008. Therefore, TJX was not unusual; TJX was no weaker at the time in question than was standard and common in the retail industry. Query whether FTC will open investigations of all these other retailers and claim they were "unfair" also.

Update March 2009: Heartland Payment Systems maintains that an auditor confirmed it was PCI compliant a mere month before hackers broke into the company and stole credit card data. Visa investigated after-the-fact, and Visa has tried to say that Heatland was not PCI compliant. But PCI expert David Taylor observes that if the goal of an investigation is to determine that an organization is not in compliance, then the goal is easy to achieve. Perfect data security never exists in practice.

Trade Secret Web Terms

Legal Protection for Intellectual Property on the Internet

IP Enforcement by Contract

Trade secret law says that if a business takes reasonable steps to keep a valuable idea a secret, then it can prevent someone (like a competitor) who misappropriates the idea from using it. And conventional thinking says that if the idea is published on the web without password protection, then the idea is public and not secret.

But conventional thinking lost in Silicon Image v. Analogix Semiconductor Case 3:07-cv-00635-JCS, Federal District Court, Northern District of California. The court ruled that a secret posted in an obscure way (in Chinese, where it was unclear that all of the components of the secret had been posted) on an obscure web page is still a secret.

Given that principle, here’s a practical, EULA (end user license agreement) idea. The owner of a secret might post it on a web site, so that, for example, prospective customers could see it. But the owner might publish terms that state:

* the secret is confidential

* anyone accessing the secret agrees and consents it is a secret that can be used only in accordance with the terms (i.e., to advance a customer relationship but not a competitor relationship)

* anyone accessing the web site agrees not to do so for the purpose of accessing or misappropriating the secret in violation of the terms

By publishing terms this way, the owner will assert it is taking reasonable steps to protect the idea's secrecy.

When you encounter important legal terms on the web, how should you preserve evidence of them in case there is a question in the future? As I explain in another article, one idea is to authenticate a copy of the terms with a voice signature.

Must a Robot Warn You Before It Records You?

The designers of robots and cybernetic systems (like Google Glass) will naturally enable the systems to record events. 

But records have legal risks.

Laws Against Recording of Voice Conversations

Caution with Audio

Records that are too intrusive can creep people out, and legislatures have responded. To regulate the recording of human activity, many anti-surveillance laws have accumulated over the years. In the US the laws are complex, and vary by locale.

One general rule of thumb: to record a voice conversation without first getting the consent of each party to the conversation can be legally dangerous. In Pennsylvania, for example, one is generally forbidden from recording a voice conversation unless all the parties to the conversation consent.

Example: Ex-wife planted an audio recorder in a teddy bear and collected evidence of a father talking to a child. In a child custody case, the judge rejected the evidence because neither of the parties to the conversation (father or child) consented to the recording. Todd Cooper, "Custody case tip: Don't bug kid's teddy bear," Omaha World Herald, January 7, 2008.

Visual Recording and Consent

A second rule of thumb: privacy laws place few restrictions on visual recording (such as with video) of people in public. A third rule of thumb: the more that you get consent from the subjects of your recording, the less is your legal danger.


In the application of these rules, much depends on whether the subject of recording had a reasonable expectation of privacy.


Anti-Stalking Law

The operator of an aggressive recording system runs another legal risk:  Excessive, creepy recording may amount to illegal stalking.

Legal Notices and Warnings

Given the present state of law, a common practice for property owners is to record activity on their premises with video cameras but not audio recorders. Property owners are wise to post notices around the premises warning people that video cameras are in operation. The notices largely serve to obtain consent from visitors, for if visitors do not wish to consent they can leave the premises.

So what are the rules if a robot encounters a stranger on the street? It is quite possible the bot would possess the means to record the stranger's appearance, actions and words. If the bot does this, would its owner be violating the law? Due to the risk that the answer is yes, robot owners have to be careful.

Privacy Warning Posted on Robot

Maybe robots (or drones or cyborgs) could communicate privacy warnings. Maybe a written notice could flash somewhere on the bot, or maybe the bot could emit an audio notice: “Warning. If you approach me, I will make a video and audio recording.”

Suppose a robot with video capability is operating in a non-public space, such as a hallway in a building, and there are no notices warning visitors that they might be subject to video surveillance. When the robot encounters a human, it may need to either shut off the video, or obscure the human's image in the video record.

Record Lots of Data Other Than Audio from Voice

Given the law’s special disfavor for the recording of conversations, the designers of robotic (and cybernetic) systems will have reason to eschew recordings of the words that come from a human mouth. Therefore they may design their systems to record other data about interaction with strangers, such as the stranger’s odor, temperature, velocity, posture, chemical profile or non-conversation sounds. Legislation prohibiting these kinds of recordings is less common.

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.


Related:  1.  See my previous post with suggestions on how people might use contracts and notices to protect themselves from undesirable snooping or other behavior by robots or cybernetic systems.

2.  The Electronic Frontier Foundation advocates that federal privacy laws be revised to prohibit secret video recording of people in private places, i.e., any place (such as a home) where a person would not reasonably expect to be photographed.

3.  Google Glass proposes to record what the wearer is seeing and hearing.  Maybe it needs to be outfitted with a light that warns bystanders that they are being recorded.