Despite the recent TJX security breach, it is natural to conclude that companies will continue to ignore the seething vulnerabilities that lead to massive thefts of sensitive information. Most companies have been slow to react to other highly publicized exposures of personal information from the past two years.
It's easy to point to the VA's lost laptop, the stolen credit card numbers at DSW or the ChoicePoint hacking incidents. The incidents were hailed at the time to be watershed events for information security, but they weren't. The incidents were expected to alert and motivate companies to address the critical need to protect customer and personal data, but they didn't.
The reaction to the breach at TJX may prove to be different. For unique reasons, this breach may trigger major changes in the approach to information security throughout retail and other industries.
First and foremost, the TJX breach could have been avoided.
Implementing an information security system can be a difficult task, but standards, best practices and new technologies have emerged to guide and assist companies. For example, in the case of credit card data, the Payment Card Industry's (PCI) Data Security Standard specifically dictates when data should be encrypted and ultimately destroyed when no longer needed. Credit card companies are beginning to enforce this standard; this publication recently reported that Visa fined companies millions of dollars last year for non-compliance with the PCI rules.
The solution to avoiding future occurrences in retail environments is clear: companies must implement a multi-layered defense that secures information from the moment it is created and wherever the information resides. The defense must be based on both people and technology, and it must rely on strong encryption at its core. Strong encryption is absolutely essential to protecting sensitive data in retail environments. According to TJX's recent 10-K filing, encryption problems contributed to the breach of its customer data.
Unfortunately, encryption is not ubiquitous because of traditional obstacles to using the technology. Advanced software can effectively overcome these obstacles, but leading retail companies are only now beginning to deploy such software in their credit card processing systems. Also, when encryption is used, it is often implemented in a weak (and therefore vulnerable) manner.
For example, evolving industry best practices dictate that companies should use separate encryption "keys" for every credit card number under their control, and these keys should always be stored securely. Encryption is akin to physical locks on doors, and encryption keys are akin to the physical keys capable of opening those doors. Despite the best practices, many credit card processing systems use only a single encryption key to secure all "doors" in all stores, and many keys are freely available to those who simply know to look under the appropriate doormat.
The time has arrived for all retailers to invest in new security software to address these issues. Two years ago, the analyst firm Gartner issued a research note indicating that the price of encrypting data could run as little as $6 per customer account compared to a cost of at least $90 per account when data is compromised during a breach. The note concluded, "Protecting your data is well worth the investment — with or without Payment Card Industry compliance requirements."
The cost of securing data has dropped sharply since then, while the level of protection afforded by encryption has increased dramatically. The price of remediation is as high as ever, however, as TJX is learning painfully.
Fallout from the TJX breach may lead to broad changes in security practices throughout the industry. The loss at TJX is the largest information security breach ever publicly announced. More than 45 million credit card and debit card numbers may have been exposed over an 18-month period. As such, the TJX breach affects a significant percentage of American, Canadian and British families.
Compared to other recent data security incidents, the TJX incident has spawned significant legal action. In its 10-K filing last week, the company disclosed that 19 independent class action lawsuits have already been filed against TJX in the United States and Canada. In addition, a group representing the attorneys General from 30 states has launched an investigation of TJX, as have the Federal Trade Commission and three privacy agencies from Canada. It will require much time and money to defend the company against these actions. TJX said that it already has incurred over $5 million in costs to respond to the incident, and the amount over the next two years will be much larger.
Beyond the direct costs, the potential loss to TJX's corporate reputation may be substantial. Unlike ChoicePoint, which had virtually no visible presence in the communities it served, TJX operates more than 2,400 stores as a frontline retailer. Few areas do not have a T.J. Maxx or Marshall's nearby, and potential customers will be reminded of the headlines every time they pass a storefront.
Lastly, the breach could lead to a fundamental change in accountability across the entire retail industry. A bill under consideration in Massachusetts would force retailers (instead of banks) to pay fraud-related costs, such as credit card re-issuance fees, in the event of a data breach.
This time, it may be different. Retailers should reflect on the TJX headlines and determine what they must do to avoid similar incidents in their own companies. The headlines will not be ignored. Nor should they be.
- J. Patrick McGregor is president and chief executive officer of BitArmor Systems, an enterprise encryption vendor based in Pittsburgh, Pennsylvania.