Cybersecurity and the protection of personal and sensitive information is a growing concern for private citizens and governments alike. Today, more and more people are the victims of identity theft, and more often than not, personal information on individuals is acquired due to lapses in cybersecurity, whether by individuals or by companies that acquire and store personal information. A prime example of this lapse in cyber security policy is the discount retailing giant TJX. TJX is the corporate head of a number of discount retailers around the world, including Marshalls and TJ Maxx in the United States. However, in the early 2000s, TJX found itself victim to a massive security breach. Instead of reporting the breach and upgrading the relevant security systems, however, TJX kept quiet about the security breach while the offenders stole credit card and personal information for 48 million different cards and personal accounts that were linked to the discount retailer (Vijayan, 2007).
Metadata
Referring back to the TJX security breach, one of the primary concerns of those responsible for the breach was obtaining credit card numbers and information for individuals who retained accounts with the retail giant (Vijayan, 2007). While the retailer was in violation of a number of federal regulations controlling what type of information that could be stored and the security of their wireless Internet, one of the major stores of information that the hackers were able to access were the long lists of personal metadata on each customer that shopped at a TJX-group store (Vijayan, 2007). With that information, the hackers were able to steal millions of dollars worth of customer credit, costing the TJX group more than $500 million for the breach in security (Vijayan, 2007).
TJX Companies, Inc.
It is no secret that the TJX group has fallen victim to one of the largest cases of cybercrime in the twenty-first century. Along with the more than $500 million dollars in damages and theft, the company has become the poster child as far as what not to do in regards to customer information and security. This has, understandably, become something of a sticking point for the TJX Companies; today, after being fined heavily by courts and forced to pay restitution to their customers, TJX has reworked their cybersecurity standards.
Clearly, storing personal information-- particularly personal information that is illegal to store-- did not work in the customer’s favor in the case of the TJX group. However, TJX fell victim to circumstance as well as their own outdated cyber security standards; once the TJX attack became public, many companies quietly and quickly updated their security standards, ensuring that they were up to regulations (Vijayan, 2007). However, many companies have still been unwilling to make security upgrades, citing the cost and the relatively low bar that legal requirements set for retail companies in regards to cybersecurity (Kostopoulos, 2013).
If the massive security breach at TJX was not enough to convince lawmakers that the industry requires stricter controls on the way personal information is collected and retained in the retail industry, the backlash and final cost of the security breach should have been. Although the damage is ongoing, experts estimate that the security breach at TJX cost the company between $500 million and $1 billion-- a significant sum, even for a successful Fortune-500 corporation (Kostopoulos, 2013).
Today, TJX retains only the vaguest allusions to its security policies on its corporate website. The TJX website (2013) gives the following information to a potential consumer: “We maintain administrative, technical and physical safeguards designed to protect against loss, misuse or unauthorized access, disclosure, alteration or destruction of your information Online access to certain personal information may be protected with a password you select. We strongly recommend that you do not disclose your password to anyone, and we will never ask you for your password in an unsolicited communication” (TJX.com, 2013). The company does not-- nor is it required by law-- inform the consumer of any previous cybersecurity threats to personal information that the company has faced.
The Retail Industry and Storing Metadata
Lawmakers have a vested interest in ensuring that no customer information is stolen and utilized for nefarious purposes, particularly in the United States. Because American politicians and lawmakers are voted into office, those who are seen as soft on crime are often considered unfit for office, and are replaced at the next election by someone who will be more heavy-handed with criminals and crime. However, lawmakers face a difficult problem: with too much regulation, the already-delicate economic growth that the United States is facing may collapse, as companies find it too difficult to keep up profit margins with the high amounts of regulation on their industries (Grady and Parisi, 2006). However, a lack of regulation can be even more costly, as seen in the case of retail giant TJX.
If businesses are forced into stricter compliance by a number of governmental agencies, then confusion and lack of oversight can easily occur (Anderson, 2001). However, the creation of a body that is responsible for the oversight of the cybersecurity policies and standards of businesses, groups, and institutions that retain personal information on members or customers may be an option (Grady and Parisi, 2006). Businesses that are forced into compliance must not be forced to take actions that will or could potentially hurt their profits in a significant way; however, they must be forced to comply with standards as they are set. TJX, for instance, was not complying with federal standards when their wireless system was overtaken; if there had been an oversight committee responsible for analyzing corporate cyber security and personal information security, the TJX security breach may not have occurred, or may have occurred to a much lesser extent.
Conclusions
There are significant problems in the retail and corporate world in regards to cyber security and cybersecurity policy in the United States. Cybersecurity is an issue that affects everyone who buys anything with a method other than cash; personal information is passed around between computer and company with little regard to the security of the information. Indeed, many companies have yet to upgrade their security systems to the newest security protocols, because companies tend to see security upgrades without impetus as being problematic for their bottom line. More regulation in the cyber security and personal metadata industry is of paramount importance, but along with more regulation should also come more education and understanding about the nature of cyber security for companies who retain personal data. This will provide these companies with the tools and knowledge they need to make informed decisions about security policy, and avoid mistakes like those made by the TJX Group.
References
Anderson, R. (2001). Why information security is hard-an economic perspective. pp. 358--365.
Byres, E. and Lowe, J. (2004). The myths and facts behind cyber security risks for industrial control systems. 116.
Cone, B., Irvine, C., Thompson, M. and Nguyen, T. (2007). A video game for cyber security training and awareness. computers \& security, 26 (1), pp. 63--72.
Craigen, D., Walsh, D. and Whyte, D. (2013). Securing Canada’s Information-Technology Infrastructure: Context, Principles, and Focus Areas of Cybersecurity Research. Technology Innovation Management Review, (July 2013: Cybersecurity).
Grady, M. and Parisi, F. (2006). The law and economics of cybersecurity. New York: Cambridge University Press.
Hoffman, L., Rosenberg, T., Dodge, R. and Ragsdale, D. (2005). Exploring a national cybersecurity exercise for universities. Security \& Privacy, IEEE, 3 (5), pp. 27--33.
Jacobson, G. and Figliola, P. (2009). Cybersecurity, botnets, and cyberterrorism. New York: Nova Science Publishers.
Johnson, V. (2005). Cybersecurity, Identity Theft, and the Limits of Tort Liability. bepress Legal Series, p. 713.
Kostopoulos, G. (2013). Cyberspace and cybersecurity. Boca Raton, Fl.: CRC Press.
Marshall, P. (2003). Cybersecurity. Washington, D.C.: CQ Press.
Mueller, M. and Kuehn, A. (). Einstein on the Breach: Surveillance Technology, Cybersecurity and Organizational Change.
Norwood, K. and Catwell, S. (2009). Cybersecurity, cyberanalysis, and warning. New York: Nova Science Publishers.
Singer, P. and Friedman, A. (1320). Cybersecurity. New York: Oxford University Press.
Smith, A. and Rupp, W. (2002). Issues in cybersecurity; understanding the potential risks associated with hackers/crackers. Information Management \& Computer Security, 10 (4), pp. 178--183.
Ten, C., Manimaran, G. and Liu, C. (2010). Cybersecurity for critical infrastructures: Attack and defense modeling. Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on, 40 (4), pp. 853--865.
Tjx.com (2013). Welcome to The TJX Companies, Inc.. [online] Retrieved from: http://www.tjx.com/ [Accessed: 15 Oct 2013].
Whitman, M. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46 (8), pp. 91--95.
Vijayan, J. (2007). TJX violated nine of 12 PCI controls at time of breach, court filings say.ComputerWorld, October 26.
