I don't know what good it will do me if my data was stolen, and I don't know that it was (but like I said -- I shop there a lot), so I canceled my card and got a new one. I imagine others are doing the same. It provides some level of relief. In my case, this is the third possible data breach I have been exposed to in the last 12 months.
The TJX press release seems to indicate they're doing all the right things, at least in terms of standard operating procedure once a hack is discovered. Who knows what it was doing security-wise before? Now we have to wonder.
Were they doing the right things prior to the hack, like adequately securing their data, and then regularly checking those defenses. Maybe they did, maybe they didn't. The company so far won't say whether all that data was encrypted. So what does that tell you? And what possible excuse could they have had for not having done so, if that's the case?
You can be sure that whatever money IT or its business counterparts think they can save by sidestepping encryption is never going to make up for the financial costs associated with the ensuing fallout from a data hack: legal fees, negative publicity, lost sales, and the intangible of lost consumer confidence.
The thing that TJX and other companies have to realize is that a lot more was lost here than just customer data. Trust is gone. And once it's gone, it's real hard to get it back. And if you can't get it back, it's going to get harder and harder for businesses to deploy technology in ways designed to cut costs and save money. Each and every incident of data theft piles onto the consumer's collective memory of the last. The reverberations can cut deep for businesses.
For example, we're still seeing surveys that cite unease among online and would-be online shoppers. We don't feel safe, and hmmm, why is that? Our spam filters continue to miss spam, our security packages continue to leak embarrassing and unsettling security vulnerabilities, and the people who collect our data continue to lose it, rushing in to secure the barn door after the proverbial horses have left.
For example, TJX was quick to note that it has " ... significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions ... " Future intrusions? If this level of security was available and needed, why wasn't this system installed prior to the data hack?
The TJX Companies Chairman Ben Cammarata, meanwhile, issued a statement about how "deeply concerned" the company is about the "difficulties" the "event" may cause customers, urging them to "carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX." So much so, they rushed these tips out to us! I sure feel all safe, warm, and fuzzy all over, how about you?
If we can't trust TJX's security, and we still want to shop there, we could be tempted to just use paper checks, or better yet, cash. This in turn will probably result in smaller purchases per trip. None of this is good for TJX, though shoppers may leave feeling good on two accounts -- they found some good deals, and they lessened their financial risk of having to pay an added, incalculable financial price.
And how many consumers continue to resist the siren call of online accounts for everything -- utility bills, mortgages, bank accounts, credit cards, you name it. Every consumer lost is cash lost out of some company's pocket -- your company, even. More important, how are we supposed to advance to electronic wallets and a digital cash economy if consumers don't feel safe? For example, do you really want a cell phone that contains all your personal information and access to your various credit and other accounts? I certainly don't -- you'd have to staple that thing to your body 12 ways every time you head out the door. Lose it, and you are doomed. Or don't lose it, but switch to a different phone, and now you have to worry about all that data that was on the old phone. Was it really wiped? (Not worried? Buy some used hard drives off eBay, check out the contents, and tell me what you find). Suddenly, all that convenience just is not worth the threat of unending financial and personal data hell. Just ask anyone who has been the victim of simple identity theft. Consumers have to feel safe before they'll be willing to make life convenient, and cheaper, for businesses.
So it is in the best interests of American businesses to work harder on safeguarding trust, and that effort has to start with the IT department.
Consider that every announcement about a data hack today is accompanied by the rote parallel announcement of a Web page where spooked customers can go to learn basic security tips, and ahem, how to avoid identity theft. (No, "shop somewhere else" is never suggested). Talk about too little, too late! If there is anywhere "the max for the minimum" will never pay off, it's with security. So how about taking these steps instead:
I'm sure you can think of a lot more that could be done and needs to be done. Whatever that might be, let the TJX hack spur your company into taking some definitive steps toward protecting customer trust. The cost is negligible considering that the rewards are priceless.