Leadership Laboratory
- Leadership Lab: Information Technology and the Law
This series of essays explores the many aspects of technology law relating to computer and information security.
Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007
Data Thefts - Give the Public the Disclosure It Seeks
March 22nd, 2007
By Benjamin Wright, JD
Lawyers advising an enterprise suffering a data security breach tend to have a circle-the-wagons mentality. They go on the defensive. They fear that lawsuits and government investigations will force their client to pay damages and fines. So they advise the client to clam-up and say the least possible about the incident. But this defensiveness can make matters worse.
In our society, a host of different players have the prerogative to weigh in on the compromise of consumer data (Social Security or credit card numbers). And consumer privacy is a politically hot topic. So when a data break-in becomes public knowledge, a swarm of politicians, publicity-seekers and self-appointed public guardians enters the limelight, denounces the victim enterprise and seeks to extract money from it.
That has been the case for TJX, owner of retail stores including T.J. Maxx. Since TJX disclosed the theft of credit card data in January 2007, consumers, legislators, journalists, bank executives, plaintiff lawyers, trade associations and state attorneys general have taken the public stage to remonstrate against the company. Class action lawsuits have been filed on behalf of both TJX customers and banks who have incurred costs canceling the credit cards of those customers. Multiple official investigations have been initiated, the most recent being by the Federal Trade Commission.[1]
All of this could potentially be very expensive for the company. For example, if the FTC finds wrongdoing on TJX's part, it could fine the company and force it to implement costly security procedures, such as annual audits that must be submitted to the FTC. The FTC imposed such sanctions on Choicepoint, including $15 million in fines.
This swarming behavior around IT security breaches is a relatively recent phenomenon. It reflects the public's frustration with identity theft and the authorities' desire to show they are "doing something" about it.
But identity theft and credit card fraud is much more complex than just the security of payment records in a merchant's IT system. There is more to this story than simply whether TJX is a bad guy and whether it failed to secure data. Successful credit card thievery depends on a long chain of events in the payment system.
But by being defensive, TJX focuses all the attention on itself. It incites the swarm. By being tight lipped about the break-in and its implications, TJX makes the swarm all the more vocal that the company come clean on what happened and be held accountable.
For example, when the chairman of the Massachusetts Credit Union League publicized a letter rebuking TJX for its security failure, the company "declined to comment."[2] In public discourse, "no comment" in reply to stinging criticism sounds like an admission of guilt. It is disastrous for a company's reputation.
TJX could mollify the swarm by being more forthcoming. It could better acknowledge the swarm's concerns, while gently urging a more complete understanding of credit card fraud.
For example, in January Congressman Ed Markey called for the FTC to investigate TJX. But "a spokeswoman for TJX declined to comment on Markey's remarks." Six weeks later the FTC did announce an investigation. It was inevitable this investigation would come.
TJX would have done itself a favor, back in January, if it had publicly welcomed the congressman's call. It could have said, "We agree with Congressman Markey that the FTC could help. We invite the FTC to come in today and join our internal investigators. And we hope the government investigates all aspects of the credit card industry's security problem. The problem is more than just loss of data." Had TJX said this in January, there would have been no embarrassing story in March about the FTC being required to open an investigation.
But this forthcoming approach to investigations and critics is contrary to the instincts of trial lawyers. Lawyers tend to focus on winning and losing in the courtroom, but that's often not as important as appearing to be a responsible corporate citizen in the eyes of public opinion.
We discuss these and related issues in greater depth in the course I author and teach, LEG425, Applying Law to Emerging Dangers.[3]
==
Benjamin
Wright is an attorney based in Dallas, Texas, and instructor
for a series of courses on IT security law, promoted by The SANS Institute.
This article provides general education and not legal advice for any
particular situation. If you need legal advice, you should
consult your lawyer.
===
2. Jenn Abelson and Ross Kerber, "Markey calls for FTC probe of TJX: Bank files lawsuit as pressure rises over data breach," The Boston Globe, published at http://boston.com/ January 31, 2007.
3. http://www.sans.org/training/description.php?tid=862