A PARADOX
There's an interesting paradox in the TJX Effect, and it has to do with the company's financial performance. While at least a dozen customers have sued the company for not properly protecting their payment information--the cases are being consolidated into class-action suits and venues are still being chosen--many more are still shopping at its stores.

Financial analysts continue to raise their expectations for the company's stock price, as first-quarter 2008 sales were up about 6% compared with the year-earlier quarter, to $4.1 billion. Net income was down less than 2% from a year ago, to $162.1 million--not bad considering the $20 million charge TJX had to take.

In a February survey of 1,200 debit card holders by Javelin Strategy & Research, three out of four said they wouldn't continue shopping at a merchant where a data breach had occurred, says Mary Monahan, a Javelin analyst, and 84% said they would shop at merchants that said they were security leaders. But the reality seems quite different. "As Americans, we're a very convenience-oriented society," says James Lee, public and consumer affairs officer for ChoicePoint, a provider of identification and credential verification services. In 2005, ChoicePoint reported that identity thieves had stolen about 163,000 customer records.

TJX also may be benefiting from reports that identity fraud isn't as rampant as many think. Of the 24 data breaches analyzed by the U.S. Government Accountability Office in a report issued last month, only three included evidence of resulting fraud on existing accounts and only one included evidence of an unauthorized creation of a new account. The GAO report states that for the 18, "no clear evidence had been uncovered linking them to identity theft; and for the remaining two, there was not sufficient information to make a determination."

WATERSHED CASE
However, the magnitude of the TJX data breach, and the fact that stolen data is starting to surface, may change that perception. "TJX is a watershed case in this regard," PayPal's Barrett says. When customer data is stolen, as opposed to lost, you can be sure that someone's looking to use that information for financial gain. "Having an information breach is now an extremely significant operational risk," Barrett says. "There are very few risks that are worse than that."

Are executives nationwide worried about the TJX Effect? "Absolutely," says Andre Gold, head of technology risk management at ING U.S. Financial Services and former director of information security for Continental Airlines. "That's the kind of info that my executives are in tune to, because they want to make sure we're aware of this so that the same thing doesn't happen to us." The main takeaway: Look for weak links within your organization, because if you don't find them, someone else will.

ChoicePoint's Lee says the TJX data breach will force companies to be more transparent about the customer data they keep and how they protect it. ChoicePoint has accelerated a project to automate the way it discloses personal information to consumers who request it. Right now, if consumers want to know what information ChoicePoint has on them, the company puts together a report manually and mails it to them. To keep up with TJX-inspired demand, Lee's working to automate the system, a project that could take up to 26 weeks to complete, he says.

The National Retail Federation, whose eight-member executive committee includes CEOs from Ethan Allen Interiors, J.C. Penney, and Liz Claiborne, advocates several measures to prevent another data breach on the scale of TJX's. Rather than retain credit card information after a transaction is completed in order to settle disputes and handle chargebacks for returned merchandise, federation CIO Dave Hogan recommends retaining only information about the transaction itself--store number, time and date stamp, register number, and authorization number. "That would minimize, if not stop, payment card fraud," he says.

At the very least, retailers should require customers to enter a PIN for debit and credit purchases to be processed. This doesn't solve the data theft problem, but it does reduce risk, Hogan says. Even better, credit card companies will eventually replace magnetic-stripe cards in favor of those with embedded chips that require PINs whenever they're used.

For others, the lesson is simple. "Get serious about getting PCI certified," says PayPal's Barrett. To get that seal, you must have your IT systems inspected by a Qualified Security Assessor or an Approved Scanning Vendor that's been blessed by American Express, Discover, JCB, MasterCard Worldwide, and Visa International--all founding members of the PCI Security Standards Council. The inspector checks an organization's IT systems against the criteria published in the PCI data security standard. There are dozens of QSAs and ASVs, including Deloitte & Touche and Dimension Data.

With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.

Photo by Sacha Lecca

Continue to the sidebar:
The Face Of Identity Theft