I just read this story over at SearchSecurity.com about the TJX breach. It looks like someone is suing TJX because they didn’t release information about the breach soon enough. The lawsuit also asks for TJX to provide credit monitoring, which TJX has said they won’t do.
A couple of things here. Often this type of security issue is a catch-22 because you have to weigh public opinion with security reality. If what TJX says is true about why they didn’t release info on the breach for a month, then I am OK with the delay (they say investigators asked them not to release the information at the start of the investigation, and they say it allowed them to figure out what happened and secure their system to prevent further breaches). And if the proof holds up to this reasoning, then they can win that in court.
However, not providing credit monitoring could be a mistake. TJX chairman Ben Cammarata says, “Based on the type of data involved in the breach of our systems, we don’t believe that such monitoring will be meaningful to customers.” Uhhhh, do they know about this story?? Looks like some of the data stolen from TJX is being used to make fraudulent purchases. And regardless, this is a public perception type of thing, Mr. Cammarata. Even if the data was totally useless, it makes sense to dole out the funds to customers just to make them feel better, and to make them feel like you give a crap.
Of course, TJX may just be hedging their bets because these types of issues tend to blow over in a few weeks in the general public’s eye (I don’t think there are too many soccer moms reading my blog). Of course, they could possibly loose the lawsuit and have to provide monitoring, and I think they will in the face of that story, if the case even makes it to trial. They probably have good lawyers, and the whole thing will likely be settled out of court anyway. Everyone involved will get 5 bucks, and it will be done.
So much for public disclosure laws.
Vet
Deb,
I am glad you liked the post, and I am truly sorry if you were offended at the term I used. I hope I didn’t offend you to a degree that you will not come back and visit. That being said, I have never been one that plays with the “don’t offend anyone” crowd, and there are a few points that need to be made (hopefully without turning a security post into a political correctness battle ground):
1. Obviously I don’t place the negative connotation on the term as you do. If I viewed the term as derogatory, I wouldn’t use it.
2. I am not labeling women of all walks as soccer moms. My definition of a soccer mom is a stay-at-home mom who is busy with raising her children and taking care of the home, and this is generally how it is defined (it has come to mean more than just a woman who takes her kids to soccer). The term soccer dad is also used in the same context.
3. This choice is every bit as honorable as any other “career” choice, and it almost always more demanding than anything the man is doing outside the home (and I know since my wife is a stay-at-home mom). So I think the label would only be viewed as negative to those people who think that a soccer mom is somehow a lesser person than a career woman, even if they won’t admit that is how they feel.
4. The point of using the term was that not many people who lead busy lives and do not focus on security will be keeping up with what TJX is doing once the main stream media loses interest.
5. I don’t see how my credibility in the security field is lessened by using this type of term. I could be an outright sexist and bigot (I’m not, and I would not be any less credible when it comes to security. Sure, no one would listen to what I was saying (rightly so), but that does not mean what I am saying is not true and worthwhile when it comes to security.
Michael
Michael,
Very good post, however, you lessen your credibility by tossing out the label; soccer moms. Why do people insist on labeling women of all walks as soccer moms? My children do play soccer yet I am a CFO for a software company. Does that role brand me as someone lesser than I am?
Deb Kimball