Reaction to TJX Settlement: "A Very Light Slap on the Wrist"
Did the Punishment Fit the Crime? Opinions VaryRelated Story:TJX Settles With Feds |
In response to the announcement that TJX was not levied any monetary fine as part of its settlement with the FTC, David Taylor, President of the PCI Security Vendor Alliance says this shows TJX's legal team is "a lot stronger than their security team."
The settlement was "just a very light slap on the wrist," according to Taylor. "The FTC has issued multi-million dollar fines for much less serious breaches."
The FTC's Joel Winston disagrees. "I don't see this at all as a slap on the wrist of TJX. They have paid out tens of millions of dollars in settlements as a result of this breach, and there may well be more to come in other actions," Winston says. "They're not getting off scot-free." He adds there are significant costs to TJX's reputation and to its business as a result of the breach. Winston serves as Assistant Director of FTC's Division of Privacy and Identity Protection. "There's a lot of damage to them as well as their reputation. Nobody wants their name in the headlines for not protecting consumer data."
The FTC wasn't able to levy a monetary fine against TJX because of the lack of legal authority to do so. Only under certain laws and conditions is the FTC given authority to levy fines "In TJX's case, none of those circumstances were present," Winston says.
The only data security case where the FTC was able to levy a fine was against Choice Point. "Among the other laws they violated included the Fair Credit Reporting act (FCRA), which gives us authority to levy a fine," Winston explains. Absent a violation of that statute, the FTC can't fine the company in cases like TJX.
"We've asked Congress for last two and half years to give us authority to seek penalties in such cases. Hopefully, one day we will get that authority," Winston says.
Getting trust and integrity back should be TJX's main concern, says analyst Nick Holland, at Aite Group, a Boston, MA-based consultancy. The settlement sounds reasonable to him, "given the size of the breach. TJX should be adhering to this sort of policy for protection of data to ensure they re-establish trust and integrity."
After 20 years of audits overseen by the FTC, TJX may wish they had received a monetary fine instead, says Avivah Litan Vice President and Distinguished Analyst, Gartner Inc. "A government audit of this type every two years is cumbersome and time-consuming."
Litan notes financial institutions are used to multiple audits and multiple compliance efforts. "Retailers, on the other hand are not," she says. "But that certainly is starting to change with data breaches at retailers."