Federal Trade Commission Misunderstands Card Data Privacy.
Rethink PCI Law.
The TJX credit card data break-in is reputed to be the largest in history. On the heels of the incident, many credit card issuers replaced cards believed to be compromised. To replace cards is expensive (not to mention disruptive to consumers), and many card issuers demanded, through lawsuits and otherwise, that TJX reimburse them. December 2007 TJX settled one class action lawsuit with issuers of affected VISA cards, agreeing to pay $41 million. Dow Jones Newswires, "TJX Gets Over 95% Acceptance Of VISA Settlement Agreement," December 20, 2007. May 2008 TJX said it had support for settlement with Mastercard issuers for $24 million.
The Federal Trade Commission concluded that TJX had maintained inadequate controls to protect credit card data and had therefore committed unfair trade practices. Consequently, the Commission has punished TJX by requiring it to adopt new controls (in the vein of the PCI - Payment Card Industry Data Security Standard) and file extensive paperwork with the government for years to show that the controls are in place.
That's the background. Now think about this . . . August 2008 federal authorities announced indictments of the ring of criminals at the heart of the TJX heist. The ring had stolen data from both TJX and many other retailers. According to authorities, the criminals used stolen data to withdraw tens of thousands of dollars at a time from automated teller machines. Their ATM withdrawals added up to hundreds of thousands of dollars.
Further, last year six people were convicted in Florida for using data, apparently stolen from TJX, to buy gift cards and goods worth AT LEAST ONE MILLION DOLLARS. Jon Swartz, "11 Charged in TJX Identity Theft," USA Today, August 6, 2008.
Do you see an imbalance here? TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers canceled all those cards, they alarmed and inconvienced millions of cardholders to excess.
To be sure, a final accounting for the TJX fraud has not been made, at least to the public. However, public information suggests the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in.
In other words, the credit card issuer industry over-reacted. After being notified about TJX, the industry erupted in a spasm of card cancellations on the assumption that unauthorized access to data at a retailer is, per se, a catastrophic event. [The industry's total costs probably far exceeded $65 million, as TJX's settlements with the banks were perceived as "low" and a "bargain" for TJX. Regarding the VISA settlement, one industry expert said, "$40 million doesn't begin to cover the true exposure" to losses caused by card cancellations. Further, one lawsuit against TJX, led by Amerifirst Bank, continues because the bank contends the losses caused by card cancellations are much more than what TJX has agreed to pay.]
The Federal Trade Commission also over-reacted. The FTC marched to the notions that data security at a merchant is, in and of itself, paramount to protecting consumers and that a merchant perceived to have fallen short is a bad guy (a privacy infringer) who warrants government-sponsored punishment.
The knee-jerk reactions by card issuers and FTC failed to appreciate how robust the credit card system actually is. The multiform layers of controls in the system make it very hard and dangerous for criminals to capitalize on data stolen from a merchant.
The credit card industry needs new methods to make the reaction to a cyber attack balance with the magnitude of the actual risk. Card issuers could, for example, react to a hacker break-in with tighter software controls on suspect accounts, emphasizing fraud detection, foreign transaction blocks and enforcement of transaction limits.
The FTC, albeit well-meaning, has been particularly unhelpful. It has fixated on castigating one segment of the payment card system – i.e., merchant data security – in a manner that is out of proportion to the segment's role in managing card security risk. The FTC should be more thoughtful and less emotional in its leadership here. The Commission should be much less quick to conclude that the merchant victim of a sophisticated criminal gang is itself a bad guy who engaged in unfair trade practices.
[Update: According to USA Today October 23, 2008, the indictment for alleged hacker Albert Gonzales claims he amassed $1.6 million booty. Gonzales was allegedly central to a hacker ring that stole card data from many merchants, TJX being only one.]
Mr. Wright is senior legal issues instructor at the SANS Institute, where he stresses good public communications in response to data security incidents.
[My videos allude to the memorable Dr. Evil, in the movie Austin Powers: International Man of Mystery. In the movie the melodramatic Dr. Evil (played by comedian Mike Myers) speaks this way to say he will hold the entire world ransom for a mere "one m-i-l-l-i-o-n dollars".] Another article I posted on TJX appears here.