TJMaxx Agrees “Leadership Role” In Data Security
Large US retailer TJMaxx today announced that it has settled with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJMaxx’s computer system announced by TJMaxx over two years ago.
Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies (the owner of TJMaxx) stated, “This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime.”
Mr. Naylor continued, “The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world.”
What has not been announced are the specifics of what TJMaxx, or the states, will do to take a leadership role in exploring new technologies and approaches to improving data security.
Here are some suggestions:
1. Making protecting information a key, important function for all organizations, of all sizes. Too often, data security is looked at as “an IT task.” In many organizations today, data security is just a subset of the IT department. Then it falls on the CTO/CIO/MIS manager to strike the balance between ease of access and security. The Chief Information Security Officer should report to the CFO or CEO, and bring them actionable information risks and the options to mitigate those risks. It is the role of the non-technical manager to strike the balance between ease of use and security, not the head of IT.
2. Educating business that the PCI standard is a MINIMUM standard, not a bar or goal to be reached “one day.”
4. The culture in security and business is to not to do PR about specific security measures. Make an exception. TJMaxx should use their bully pulpit, deploy, and get the word out about the importance of advanced web application scanning, data encryption, web drive-by downloads, two-factor authentication, wireless security, and open-source.
5. Responsible Disclosure. Today, it is almost impossible to alert a business when they have a security flaw. Retailers and other businesses must develop an easy method for “good guy” security people to inform them when a security issue is discovered.
Almost every state has data security laws. The monies that go to the states should be used to better educate managers and decision makers about protecting personally identifiable information, and the list above.
According to press reports, 40 states are participating in this settlement agreement. Those state are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, and Wisconsin. The District of Columbia is also a party to the settlement.
If TJMaxx is serious about playing a leadership role in data security, we hope to hear from them about what they will do. The Data Security Podcast has reached out the to TJMaxx. We have requested an interview for the audio program. We will let you know their response.