A double bind is any situation which arises from conflicting information so that any choice of behavior will end up being considered wrong.

Canadian Privacy Commissioner Jennifer Stoddart: TJX collected unnecessary information.

TJX: Unnecessary? Asking for a driver’s license for an unreceipted return? Merchants consider getting identification with unreceipted returns to be a fraud prevention method. Too many returns by the same person raise suspicions. The fact that we ask for identification serves as a detriment to shoplifters who try to return stolen goods. We are going to keep collecting this data, but now we’ll use hashing to make it unreadable to employees or data thieves.

Commissioner: TJX stored this unnecessary information for far too long.

TJX: That’s unfair. First of all when our RTS servers came online in 2003, we encountered problems that required troubleshooting efforts and that meant that we had to maintain our data base for integrity’s sake. Even aside from that, all merchants have to keep payment information for 12 to 18 months. If we don’t and there’s any kind of dispute later, we have to take an automatic chargeback. We can’t afford to do business like that; and besides it’s not fair. If the payment companies ask us to produce the payment information for 18 months or take an automatic chargeback, we’ll choose to keep the payment information for 18 months. On one hand credit card firms are telling us not to store that information; on the other hand, they are telling us to produce the payment information for 18 month or take a hit. That’s what’s called a “double bind.” A double bind is any situation which arises from conflicting information so that any choice of behavior will end up being considered wrong. If you don’t believe us at TJX, perhaps you’ll listen to the“Lessons Learned: Top Reasons for PCI Audit Failure” shows that 71% of companies did not track all access to cardholder data (out of 112 assessed), so we are hardly alone in our business practices. We are retail merchants, not payment securities experts. All we want to do is give our customers good value for their money. Why are we being punished for being average at financial security?

Commissioner: You protected this excessive data, which you stored overly long, with outdated, already hacked WEP encryption. By June 2003, the engineering firm that developed WEP encryption was itself calling for conversion to WPA encryption. Later data thieves were able to hack into Marshall Stores in Miami, Florida using wireless handheld devices.

TJX: Now wait a minute. First of all, we haven’t admitted how that data was stolen and we won’t now. Nobody knows for certain. Secondly, The PCI Security Standards version 1.0 released in December 2004 did not require WPA encryption. In Sept 2006, PCI version 1.1 requiring WPA came out, but there was not enough time to implement these standards before the breach was discovered in December. In fact, when we discovered the breach only about 30% of even Level One merchants were PCI compliant. Now we completed our own conversion in time to be compliant with both Visa and MasterCard. Even now, maybe only 50%-60% of Tier One merchants are PCI compliant, and it’s a full ten months after we discovered our data breach.

Commissioner: You mean one of the biggest data breaches in history? And it is not fair, a criminal did this, not you, but the biggest data breaches in history happened on your watch, to your company, to your customers. It is true that many other merchants are just as culpable, but more lucky than TJX. However, the seriousness of the harm done outweighs your protestations of innocence by citing the company of many merchants just as unprotected as you were.

Commissioner: Somebody has to be held responsible. An example must be set. Otherwise, why will any merchant bother to protect consumer data?

TJX: It’s not that simple. We’ll say it one more time. We’re merchandisers― that’s what we know, that’s what we do best. We are not payments experts. We are merchants.