TJX - The Aftermath
As I was doing some research for an upcoming article, I contemplated why there wasn’t more adverse public reaction to the whole TJX thing. Sure, the press jumped on it, and there was a lot of discussion in the electronic payment industry, but the fact is that there just wasn’t much hoopla in the public sector.
But this was a very serious breach. The biggest in the history of credit cards. and yet the stock market effect was minimal, people continue to shop there, and beyond some initial adverse reactions to the lack of apology and poor response it’s business as usual. ¬ÝI’m not sure why but I’d hazard a guess that it’s got a lot to do with a lot of “What’s in your wallet” advertising. ¬ÝThe general public knows they aren’t going to be held responsible for fraudulent use of their cards so they just don’t care.
There are actually several reasons for the lack of public pushback. As you correctly point out, the zero liability plans from the credit card companies plays a huge role.
July 9th, 2007 at 8:37 amBut other roles are probably just as influential:
1) Media coverage. Those of us who track the retail technology space have a distorted media perspective. Headlines in the tradepress and some business publications have been numerous. But if you limit your reading to consumer dailies–even the major metro ones, such as the L.A. Times, the Chicago Tribune, the Philadelphia Inquirer, Miami Herald, Detroit News, etc.–you would have seen a story on the front of the business section from time to time, but that’s it. For the daily newspaper-reading consumer, it was a VERY easy story to miss if you weren’t already focused there (which most consumers aren’t).
Sadly, many consumers do not read their regional daily. If their news comes solely from television and radio broadcasts, the TJX reports were even more scarce, although they were out there. Again, they were very easy to miss.
What if they relied on the Internet for their news? TJX rarely made the homepage story for Yahoo News and other consumer media sites. If you had preset search terms dealing with TJX or retail security or credit card security, you would have seen a lot, but few consumers would have done so. (Web news is quite good at telling people about the topics they care about, but much less effective for telling them things they didn’t expect, until then the two six news stories of the day.
And, of course, many Americans see little to new news at all on a regular basis.
In short, a lot didn’t know about it.
2) The TJX Name.
Even for those who had heard about the TJX coverage, most of the stores do not trumpet the name of the corporate parent. TJMaxx’s name is slightly different. Beyond that, of the handful of consumers who HAD heard about–and remembered–the coverage of TJX’s troubles, how many connected it with Marshalls, HomeGoods, A.J. Wright, Bob’s or their other branded stores? If the breach had been with CircuitCity–which uses CircuitCity as the name for all of its stores–the results MIGHT have been slightly different.
One reaction to the TJX situation was the passage of a law in Minnesota,and attempts to pass similar bills in other states, that imposes much more liability on merchants. The MN bill (CHAPTER 108– H.F.No. 1758, effective 8/1/07 and 8/1/08) makes a merchant liable for retention of data contrary to law, including data retained by its service provider (payment card processor). That liability includes, among other things, liability for any fraudulent charges made to the card. The MERCHANT is liable for any fraudulent charges made on a customer’s card as a result of a data breach of the merchant’s service provider if the service provider retained certain specified data subsequent to authorization. Suppose a merchant’s provider retained such data, there was a breach that was not discovered for some time, the issuing financial institution did not have fraud prevention checking in place, and the card holder did not become aware of the problem until the card was maxed out. The merchant is responsible for all those charges. Why in the world would any merchant accept a card from a Minnesota resident under those conditions? The merchant risk for a minor purchase is potentially thousands of dollars.
October 16th, 2007 at 10:58 amI’d heard of the British army a laptop containing soldiers personal data http://news.bbc.co.uk/1/hi/uk/7197628.stm
the UK driving licence records going missing in the US http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
and our tax authority losing 25 million child benefit records http://news.bbc.co.uk/1/hi/uk_politics/7199658.stm
but I’d never heard about this one.
I think the UK press/readers are more interested in criticising the government than the banks for their use and misuse of data.
There is massive opposition to the UK government’s plan to impose ID cards (backed by a national database) on us, so any actual misuse of government data is going to make a popular story here.
April 15th, 2008 at 1:38 am