Login  |  Register  |  Contact

Did They Violate Breach Disclosure Laws?

There's been an extremely interesting, and somewhat surprising, development in the TJX case the past couple weeks. No, I'm not talking about one of the defendants pleading guilty (and winning the prisoners dilemma), but the scope of the breach.

Based on the news reports and court records, it seems TJX wasn't the only victim here. From ComputerWorld:

Toey was one of 11 alleged hackers arrested last month in connection with a series of data thefts and attempted data thefts at TJX and numerous other companies. Besides TJX and BJ's, the list of publicly identified victims of the hackers includes DSW, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and Forever 21.

Huh. Wacky. I don't seem to recall seeing breach notifications from anyone other than TJX. Since I've been out for a few weeks, I decided to hunt a bit and learned the Wall Street Journal beat me to the punch on this story:

That's because only four of the chains clearly alerted their customers to breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they never told customers because they never confirmed data were stolen from them. The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures. The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster's Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered.

The blanket excuse from these companies for not disclosing? "We couldn't find any definite information that we'd been breached".

Seems to me someone has a bit of legal exposure right now. I wonder if is greater or less than the cost of notification? And don't forget, thanks to TJX seeing absolutely no effect on their business after the breach, we can pretty effectively kill off the reputation damage argument.

—Rich

Posted at Tuesday 16th September 2008 7:59 am Filed under: breachbreach notificationcybercrimenon-geektjx

Previous entry: DRM In The Cloud | | Next entry: The Fallacy of Complete and Accurate Risk Quantification

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By ds  on  09/15  at  11:08 PM

Not sure I follow the logic here.  Is this a case of the old "gravity of the accusation" or simply perfect hindsight? 

A group of criminals broke into a variety of computer systems and stole a variety of protected data.  Your outrage stems from the assumption that these companies new of the intrusion and the consequences.  I don’‘t think this is reasonable.  If the US DoD is often caught unaware that such activity has happened, it is quite reasonable to assume that any less funded and resourced group would also be caught with their pants down. 

Also, the quote you’‘ve included notes thefts and attempted thefts.  What if these non-disclosing groups were in the latter category?

I’‘m really curious as to what legal exposure there is.  Many (not all, but many) state disclosure laws allow exactly this sort of risk assessment prior to notification when you are aware a breach has taken place.  But again, if you cannot determine the breach has taken place, what are you disclosing?

By cji  on  09/15  at  11:09 PM

Looks like Forever 21 found some confirmation!

http://datalossdb.org/incidents/1159

(thanks quine)

By rmogull  on  09/15  at  11:14 PM

@ds-

If nothing else, they should have disclosed after the indightments were handed down.

But I agree I might have jumped the gun and missed the "attempted" part. It will be itneresting to map the criminal evidence to who disclosed, as the case unfolds.

By windex8er  on  09/16  at  12:49 AM

Interesting none-the-less…  But just had one comment to this line:

"And don’t forget, thanks to TJX seeing absolutely no effect on their business after the breach, we can pretty effectively kill off the reputation damage argument."

Sure, everyone in the security industry, and probably financial, are aware of what comes to mind first when you hear TJX.  But, I bet if you took a poll of *actual* TJX customers most would be clueless—hence, no change in BAU.

However, that’s not to say that disclosure wouldn’‘t affect business.  I do believe that if Google, Microsoft, Best Buy,  were to have been in the same situation there would be an interesting initial recourse followed by a "forget it, the convenience is easier than the alternative" attitude.

Just my $0.02 though…
—windexh8er

By rmogull  on  09/16  at  02:23 AM

@lonervamp

I actually know of some cases where people didn’‘t disclose. My guess is, at best, half or so disclose when they know they’‘ve been breached, maybe 20% don’‘t disclose even when they have to, and the rest are just clueless.

In the other case I know of, only 1 of 3-4 organizations that were definitively breached notified. But truth is, we’‘ll never be able to accurately quantify this.

Unless we start hacking people and keeping track of the numbers.

By Rafal  on  09/17  at  01:58 AM

You know… this reminds me of the old phrase we used to use when I was a kid-
  - "It’s only illegal if you get caught"
... roughly translated into today’s business climate it would sound like this:
  -"It’s only a legal problem is someone finds out about it and can prove it happened and we knew about it and did nothing" but even then, with today’s regulations and "loose" compliance guidelines open to interpretation by any half-decent legal staff… does anyone really care?

Since I currently live in the niche of web application security; everyone is "concerend" about application security but they’‘re only willing to spend or actually *do* the absolute bare-minimum their lawyers can’‘t get them out of in a court of law.  The "Court of Public Opinion" in the greater consumer market is deaf, dumb, and blind (not to mention ignorant and stupid)... which leads me to believe that as long as you can get away with it by "dodging" regulations and government mandates - you’‘ll be just fine.

How sad is that?

By The Breach Reporting Dillema | securosis.com  on  09/23  at  04:37 AM

[...] are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I [...]

By Benjamin Wright  on  09/24  at  08:05 PM

Rich:  Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident.  The TJX break-in was not as bad as we were led to believe. —Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: