Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    TJX Does Not Deserve To Be Taken Advantage Of

     I’ve had at least one person suggest to me that TJX was “grandfathered” into PCI compliance, and, as such were compliant during the incident.  There’s a lot of uproar about TJX here online, goodness knows I’ve tried to contribute something different - not condemnation of TJX (incidents happen) but discussion of business and risk tolerance to explain how PCI (and compliance) fines/judgements must be in scale to the business to be somewhat relevant to a data owner.

    Some folks think this is a seminal incident for PCI and the industry, and as such it’s worth the press and coverage.  That’s as maybe, but there’s one thing that this incident isn’t worth, and that’s the attempt to “make an example” of them, or set dangerous president.   For example, HarborOne credit union has sent TJX an invoice for $590,000 in “actual costs and reputational damage (this link from CSO Online).

    “The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint,” he said. According to (James) Blake (CEO of the CU), the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage.

    Excuse me while I get my shovel.

    1. THEY INVOICED TJX FOR REPUTATIONAL DAMAGE.  How do you “invoice” for that?
    2. 9000 CARD REISSUES = $500K IN REPUTATIONAL DAMAGE?  I’d love to see a defense of that equation.
    3. $500,000 IN MARKETING IS NEEDED TO RESTORE THE BRAND OF THE CREDIT UNION?  Brand valuation can be as specious as BIA/Risk valuations, if not more so.  But this is a credit union - granted $1.4 billion in assets is not a small CU by any stretch of the imagination- but honestly I have a hard time believing that any CU spends $500,000 on an annual marketing budget (not counting salaries).
    4. WHAT’S THE PROBABILITY THAT, IF PAID, HARBORONE WILL BE SPENDING THIS $500K ON MARKETING TO REPAIR “BRAND DAMAGE”?  Well, let’s just say it’s somewhere near the probability of “cyber-doomsday“.

    Yes, there’s some amount of reparations that might be fair.  Some of that might even be reputational for the CU.  But TJX does NOT deserve to be taken advantage of in this way.

    Tags: , , , , , , , , , , , , ,

    (via RiskAnalys.is)



    June 08, 2007, 9:51am   Comments