T.J. Maxx oughta be ashamed.
As should Marshalls, HomeSense, and every other company operating under the corporate umbrella of TJX (NYSE: TJX). You'd think that by now, nearly four years after the string of hacks, cons, and plain ol' butterfingered fumbling of consumers' private, personally identifiable data began, a company holding more than 40 million customer credit card records (according to The Wall Street Journal) would have a better handle on how to respond to a data breach.
For those who aren't yet up to speed on this latest invasion-of-privacy story (the company only 'fessed up Wednesday night, after all), here's what we know. In mid-December 2006, an unidentified person or persons hacked into a TJX computer network that stores everything from credit and debit card transactions, to customer merchandise returns, to, for some reason, certain customers' driver's-license data.
After discovering the breach, TJX immediately informed the customers who might have been put at risk by its security breach.
Really?
Um, no. Not really. That's what TJX should have done. It's what AT&T (NYSE: T) did when hit by a similar attack back in August 2006. It's the standard of care that's been evolving among retailers, data processors, and financial institutions targeted by this crime wave over the past several years. And it's where TJX let its customers down.
Instead of warning its customers immediately upon learning that they were at risk, TJX:
- Informed law enforcement, which asked TJX to sit on the information while they investigated.
- Informed major credit card providers such as American Express (NYSE: AXP), MasterCard (NYSE: MA), and Visa, so that they could begin their own damage control.
- Hired General Dynamics and IBM (NYSE: IBM) to put in place the safeguards that should have been in place before this happened.
- Set up a hotline to field calls from angry customers (or customers who would become angry once they were told what was going on).
- And had its acting CEO pen a personal note to customers, explaining how "customer satisfaction has been central to our Company's success since day one" and what customers should do.
Only Wednesday evening -- one month after the break-in took place -- did TJX finally get around to informing its customers that their data had been compromised, and that they were at risk of identity theft. (Which I imagine came as a surprise to many customers, who were unaware that TJX was storing their credit card number, driver's license, and other information in the first place.)
The new standard of care
What TJX did not do, and still has not done, is adhere to the new standard of care in cases like these. Unlike AT&T, TJX did not immediately inform its customers of the danger. Nor did TJX offer, as ChoicePoint, Reed Elsevier, ABN AMRO, and Ameritrade (Nasdaq: AMTD) did when in a similar situation, to pay for a year's worth of credit monitoring to those persons at risk of identity theft. (Why, even the skinflints at Citigroup (NYSE: C) vouched for three months' worth of credit monitoring.)
Instead of doing the stand-up thing -- heck, the standard thing -- TJX merely encouraged its customers to "carefully review their credit card and debit card statements and other account information," and to "notify their credit or debit card company or bank if they suspect fraudulent use."
Message from TJX to its customers? You're on your own.
Motley Fool Green Light has a message, too: "You're not on your own." In addition to offering practical, money-saving advice on everything from finding a discount broker to preparing your tax returns, we're also keeping a close watch on the ongoing identity theft mess. In our October 2006 issue, we included a short primer on how to deal with identity theft. Take a free trial to the service to read all about it.
Fool contributor Rich Smith does not own shares of any company named above. MasterCard is a
Motley Fool Inside Value
recommendation, while AT&T was a former
Motley Fool Stock Advisor
selection. The Fool has a disclosure policy.
Terms & Conditions
RSS Headlines
Fool UK