I just read this story over at SearchSecurity.com about the TJX breach. It looks like someone is suing TJX because they didn’t release information about the breach soon enough. The lawsuit also asks for TJX to provide credit monitoring, which TJX has said they won’t do.
A couple of things here. Often this type of security issue is a catch-22 because you have to weigh public opinion with security reality. If what TJX says is true about why they didn’t release info on the breach for a month, then I am OK with the delay (they say investigators asked them not to release the information at the start of the investigation, and they say it allowed them to figure out what happened and secure their system to prevent further breaches). And if the proof holds up to this reasoning, then they can win that in court.
However, not providing credit monitoring could be a mistake. TJX chairman Ben Cammarata says, “Based on the type of data involved in the breach of our systems, we don’t believe that such monitoring will be meaningful to customers.” Uhhhh, do they know about this story?? Looks like some of the data stolen from TJX is being used to make fraudulent purchases. And regardless, this is a public perception type of thing, Mr. Cammarata. Even if the data was totally useless, it makes sense to dole out the funds to customers just to make them feel better, and to make them feel like you give a crap.
Of course, TJX may just be hedging their bets because these types of issues tend to blow over in a few weeks in the general public’s eye (I don’t think there are too many soccer moms reading my blog). Of course, they could possibly loose the lawsuit and have to provide monitoring, and I think they will in the face of that story, if the case even makes it to trial. They probably have good lawyers, and the whole thing will likely be settled out of court anyway. Everyone involved will get 5 bucks, and it will be done.
So much for public disclosure laws.