The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
TJX: a case study in what to do wrong
By: Scott Bradner
Late week I wrote about what TJX had done wrong leading up to the recent widely reported security lapse. (http://www.networkworld.com/columnists/2007/012207-bradner.html) This week's column is about what TJX has done wrong since the lapse was discovered.
In spite of full-page ads in the Boston Globe and Herald in the last two days, the extent of the security lapse is still not known since TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that up to 30% of all New Englanders may have been impacted. On January 26th TJX announced that they hired John Gilbert, formerly with Dunkin' Donuts, as their new chief marketing officer. Maybe John is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, in this case it may come out with the president of TJX testifying on national TV in front of congress. It is far better to provide more information than is being asked for so it does not look like you are covering up.
Maybe TJX feels they cannot do this because they are covering up. Originally TJX maintained that they delayed making a public announcement at the request of law enforcement only to later admit that delaying the announcement was in part a "business decision" and now, in the ads, they say it was "in the best interest of our customers." Yeh - the best interest of their customers was to keep them in the dark until they finished their Christmas shopping -- sure! In the end they only admitted to any problem after the first Wall Street Journal report.
TJX has still not said how many cards were exposed, yet some information must exist since banks are quite busy contacting their customers and replacing cards (including my wife's). A the very least TJX could tell its customers, you know the folks whose trust it has to retain in order to stay in business, what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.
Unlike most organizations who have had similar, although far smaller, breaches, TJX has not said they would protect their customers by buying credit watch services for them. I expect they will have to do so at some point but because they are delaying so long it will be clear that protecting their customers has not been a concern for TJX and they only do so when forced into it.
TJX has not admitted that they were not compliant with the PCI security standards (https://www.pcisecuritystandards.org/) nor have they committed to becoming compliant even in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by September 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say 30 days from the breach discovery) or be stopped from accepting Visa cards.
The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said they have or will destroy the data they retained in excess of this standard.
In short, TJX has said squat of any consequence. They are being and will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol murders - get in front of the issue and stay there. (http://en.wikipedia.org/wiki/Tylenol_scare) But TJX decided to hide its head in the sand instead - a very poor decision but a good case study in what not to do.
disclaimer: I can only guess if the Business School will actually develop a case study about TJX or what one would say so the above review must be mine.