December 6, 2007
When it comes to a privacy breach, what's the best policy -- contrite or circumspect? Two incidents showcase different approaches.First, there's Mark Zuckerberg's act of contrition over the mess he made with a new collaboration/advertising feature in his social networking site, Facebook. The feature, called Beacon, shared online activity data among Facebook friends -- more data than users were prepared to accept, apparently, because howls of protest were heard not long after Beacon was introduced. Zuckerberg and crew were forced to retool the feature's opt-out capability. "We simply did a bad job with this release, and I apologize for it," Zuckerberg said in a long blog post on the site that explained the genesis of the Beacon project and what went wrong. "I'm not proud of the way we've handled this situation and I know we can do better," he said.
I couldn't help but compare that with another privacy-related news story this week about TJX, the discount retailer that suffered a massive customer data breach that lasted more than a couple of years and which came to light earlier this year. TJX, which owns TJ Maxx, Marshalls, and other stores, has been fairly circumspect in what it has said about the security problem. In its first press release on the breach, dated Jan. 17, Ben Cammarata, chairman and acting chief executive officer of TJX Companies, said this: "We are deeply concerned about this event and the difficulties it may cause our customers." There was a follow-up statement from the company, in the form of a press release on Feb. 21. In it, newly appointed president and CEO Carol Meyrowitz commented, "Let me begin by telling our customers personally how much I regret any problems or inconvenience they may have experienced as a result of the unauthorized intrusion into our computer system." In a press release on Sept. 21 announcing its settlement offer related to the numerous customer class-action lawsuits against the company, Meyrowitz said, "We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system." Then she added this: "Importantly, we truly appreciate our customers' continued patronage." Amen to that, brother. TJX's financial performance hasn't suffered, despite the bad publicity the company has received over the last 11 months. In fact, quite the opposite: net sales for its fiscal third quarter, ended Oct. 31, increased 6% to $4.7 billion, according to the company. This week TJX announced a settlement proposal with Visa USA to compensate the banks that issued the credit cards that were compromised in the data hack. In a news story by my colleague Tim Wilson, one security expert points out that TJX hasn't done the one thing that interested parties and the consumer public at large would benefit most from -- explain exactly what happened. "Only the banks and credit card companies can determine if TJX's offer of a $40.9 million settlement for its data breach is adequate," says Adrian Lane, CTO of security company IPLocks. "However, what should be required as part of the settlement is a case study of exactly what happened. Here is an opportunity for financial institutions to step in and help prevent this from happening to other retailers. The cost is almost nothing, and there would be a clear benefit to the retail industry and, ultimately, consumers. "Data breaches are a problem that all companies potentially face. But when a company is breached, responses seem to fall into one of two responses: nondisclosure or noninformative press spin," Lane says. "They either do not disclose publicly, or if obligated in some way, we get the 'we are deeply concerned, but we are on top of it' response from press or legal teams. Security through anonymity is what this is, and it does not do anyone a lot of good." I don't anticipate that Facebook will suffer greatly in the long run from its privacy, uh, loss of face. But based on TJX's bullish financial performance, when it comes to privacy problems I think we can anticipate more circumspection and less contrition.
About the Author(s)
You May Also Like
Entering the era of generative AI-enabled security
Cloud Security Maturity Model: Vision, Path, Execution
Processing principles under the GDPR, CCPA, and the EU-US DPF
Data as Currency: The Importance of Master Data Management in Banking
Checklist: Top 6 Considerations to Optimize Your Digital Acceleration Security Spend