[Dataloss] Off-topic: TJX perspective

[Al Mac Wheel]

"Did TJX do what was reasonable and appropriate at the time it did it?"

As they discovered they had various problems, did they take prudent steps, 
that we should expect of any organization in same situation?

http://www.eweek.com/article2/0,1895,2240150,00.asp?kc=EWKNLRET122707FEA1
[...]

The core problem with the TJX cases is that the lawsuits wanted to accuse 
TJX of something that is not illegal in any state. They wanted to hold the 
retailer liable for not properly protecting consumer credit card data. But 
there isn't anything on the books in any state or the federal government 
that requires that. Some industry efforts­most notably the PCI DSS (Payment 
Card Industry's Data Security Standard)­seek to require it, but those 
efforts have no muscle, other than the ability to deny a chain the right to 
accept the cards for payment.

[..]

One of TJX's defenses has been that its security wasn't materially worse 
than any other retailer of similar size. Sadly, it's a true point.

[..]

(I'm still waiting for an explanation of how intrusions continued to happen 
for multiple years before they were detected.) But I am pointing out that 
security investments are among the most difficult decisions and we need to 
be careful before criticizing those decisions.

[..]

Bigger chunks of coal need to go to state legislators and the U.S. House 
and Senate for failing to pass any laws protecting consumer data (although 
Minnesota got quite close).

[..]

TJX theorized­correctly­that any breach wouldn't cause any impact on sales, 
as consumers (protected by the card brands' zero-liability deals) would 
stand by it. With that regrettable fact out there, it would have been 
extremely difficult for TJX to have justified spending much more than it did.

-
Al Mac