True Lies and Data Breaches

Arnold Schwarzenegger was always better in the bad guy roles. Now it seems he’s gone back to his strengths.

Earlier this month the Governator terminated the Consumer Data Protection Act (AB 779), a law designed to force California merchants to follow good data security practices and, when they don’t, make them financially responsible for cleaning up the mess.

This piece of legislation passed the California legislature by an overwhelming margin only to get shot down by Ahnuld, who apparently does not shop at TJ Maxx, Marshalls, or any of the other budget emporiums owned by The TJX “our data security is as cheap as our prices” Companies. It was the TJX data fiasco that inspired the legislation in the first place.

The back story: Two years ago, a group of enterprising hackers camped out in a parking lot outside a Marshall’s store in Minnesota, cracked the paper-thin WEP security used by the store’s wireless network, and began siphoning off credit card numbers. Tired of shopping retail, they went wholesale — planting keyloggers inside TJX’s central database to capture employee logins, setting up their own TJX accounts, and getting customer information direct from the source.

When they were done, they’d stolen at least 45.7 million credit card numbers – a new high (or low) in the world of consumer data breaches. The actual count could be much higher, though we’ll never know exactly how high; TJX deleted most of its records before the store realized it had been hacked. The hackers left a bunch of their own files on TJX’s network, but TJX can’t read them because they’re encrypted.

In other words, TJX didn’t know or care enough to encrypt its records, but the hackers did.

The depth of TJX’s stupidity is hard to fully describe (though the Wall Street Journal did a fine job of capturing it here). Unfortunately, they’re not all that unique. Many retailers are having a hard time implementing basic security measures.

Arnie says the law is too big a burden on small merchants, and that the credit card industry already has its own data security guidelines – the Payment Card Industry Data Security Standard. The old ‘industry self regulation is better’ argument rises again, like a cybernetic assassin after it’s been steamrolled by a semi.

The flaw in Arnie’s ointment? The PCI DDS was created when the five biggest credit card companies merged their security standards in December 2004. But TJX got hacked in July 2005, and it didn’t even realize it was hacked until December 2006. So much for self regulation.

Personally, I think a cash disincentive for screwing up is a good thing. Small merchants with low sales volumes get a smaller disincentive, big merchants who hand customer information to hackers on a silver platter (or in TJX’s case, a cheap plastic one) get hammered. This is unfair?

Companies that violate the PCI DDS can get fined for infractions, but exactly who imposes the fine and how much the guilty parties have to pay is shrouded in secrecy. Of course, TJX will pay in other ways. It’s proposed a $200 million settlement to compensate consumers for identity theft, but mostly in the form of store vouchers and a three-day ‘customer appreciation event’ next year. That’s like mugging somebody, then offering to take them to dinner using the money you just stole from them.

TJX is being sued by banks that don’t like paying $25 per customer to replace their credit cards because the retailer can’t be bothered to upgrade its Wifi security. The FTC might also levy a fine at some point. Still, this would all be a lot simpler – and involve fewer attorneys – if there were a law that said, you spill that data, you pay for cleaning it up. Oh right, there was one, but somebody killed it.

This isn’t over. The bill passed with a veto-proof majority and will likely return in altered form. A Federal version of the same bill may appear eventually. As in Hollywood, stories this compelling always produce a sequel.

Or to quote an aging movie icon: I’ll be bock.

Got more tales of brain-dead data breaches? Spill them here or contact me directly. Cool swag could be yours.