Citadel of the Blogs The Inbox of the Internet (really)

interesting comparison of two countries via the Geert Hofstede Cultural Dimensions

It compares Power Distance Index, Individualism, Masculinity, Uncertainty Avoidance Index, and Long-Term Orientation

I encourage you to listen to Ontario’s Information and Privacy Commissioner’s interview on TVO if you haven’t already.

Some of the interview is hard to hear but it thought-provoking to say the least. I also liked reading this letter of hers for how she contextualizes privacy.

watch Ontario’s Information and Privacy Commissioner Anne Cavoukian give a talk about Privacy by Design.

watch and listen to Michael Geist as he summarizes what must have been an interesting privacy conference

Everyone is talking about TJX. I mean, everyone: TJ Max, TJX Cos., Winners, Homesense, (for Canada), TJ Maxx, HomeGoods, Marshalls, etc. (for the States)

I have heard both types of reactions: the largest data heist in history has served as a wake-up call to merchants; and that all that TJX got was a “slap on the wrist”.

First, the facts:

The $17.4-billion retailer’s wireless network had less security than many people have on their home networks. [TJX had WEP encryption which was hacked as long ago as 2001; by 2003 the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA.]

Though the identity of the hackers aren’t known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups.

For sophisticated hackers, it was as easy as breaking into a house through a side window that was wide open.

Second, we need to take stock of the context:

According to privacy experts, TJX collected unnecessary information.

Fact: Be careful what information you give when you return an unreceipted (or receipted!) item. Yes, merchants consider getting identification with unreceipted returns to be a fraud prevention method since too many returns by the same person raise suspicions.

BUT — merchants may not collect more information than is necessary to the transaction.

Finally, let’s look at dollars and cents. The incident has renewed debate about who should be financially responsible. Banks that issue credit and debit cards so far have borne the brunt of the TJX losses, as opposed to the retailer or the credit-card networks such as Visa or MasterCard.

The facts:

As of August, 2007, TJX Cos. said its costs ballooned to $256 million.

The figure is more than 10 times the roughly $25 million estimated just three months ago. The costs include fixing the company’s computer system and dealing with lawsuits, investigations, and other claims stemming from the breach, which lasted more than a year before the company discovered the problem in December.

TJX’s breach-related bill could surpass $1 billion over five years — including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities

Banks could spend $300 million to replace cards from just one year’s worth of stolen numbers, even though about half the numbers were expired and some were hidden in some of the stolen data.

Bottomline:

Has customer trust in TJX gone up or down? I think trust has very little to do with it. Customers do not feel that they have control over their personal information. So they transact knowing that the buyer must beware.

End result? While they may have gotten a “slap on the wrist”, they are certainly more in debt. But they will recover. TJX Stock has dipped slightly but sales will return. In terms of the economy as a whole, hopefully other companies will beef up their encryption so that such repeat losses can be prevented. In the end, this is probably a good thing since it serves as an example to others. Not from punitive action but from financial loss as the result of reputational damage. TJX will survive but it will never again be the same.

But let’s be realistic: hackers will get at data again. The most you can hope for is to limit the amount of your data out there.

Let the buyer beware? How about: let the data giver beware.