TJX Cos. is back in the headlines this week, amid revelations that more than 94 million accounts may have been compromised to date -- far more than the 45 million TJX had previously acknowledged. Yet as security strategist Michael Gavin noted Wednesday during a panel discussion on data breach preparedness at the Harvard Club in Boston, customers keep flocking to TJX with credit cards in hand.
Gavin, a former Forrester Research analyst who now works for Wilmington, Mass.-based Security Innovation, asked a panel of industry experts if fears of brand reputation damage are overblown, since TJX doesn't seem to be losing customers.
Panelists acknowledged that may be the case, but that companies should not measure their security needs based on the retail giant's current fortunes. For one thing, they said, TJX is likely to experience some real consequences as the list of class-action lawsuits against it continues to grow. But the bigger point is that no company is immune from the threat of a data breach, and businesses need to develop better response plans.
"One of the big missing pieces is the plan for external communications in the event of a data breach," said Jim Maloney, former global head of information security at Amazon.com and current CEO of Cyber Risk Strategies. "When a data breach happens, you don't want to be scrambling and trying to decide who to talk to and how to restore confidence. You can't just try to wing it."
When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence.
TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.
Christopher Barker, vice president and security team leader at Text 100, the public relations firm hosting Wednesday's panel discussion, said companies hoping to avoid a public relations nightmare need to decide well before any breach might occur how they will go about alerting the public and how much detail should be released at the outset. He said the ideal crisis communications team should include a representative from every department. Department representatives should meet regularly to discuss how each could be affected by a breach, he added.
Companies also need to work on their tone toward the press, he suggested. "You need to treat the press like your customers," he said. "Bad press equals brand damage."
Businesses also need to put more thought into the tone and detail of any disclosure notice they might have to send out. Catherine Allen, chairman and CEO of consultancy The Santa Fe Group, noted that too many disclosure notices are written by lawyers using language customers have trouble comprehending. "It's better to send a letter by snail mail from the company CEO that is written in plain English," she said.
At one point the panel debated whether disclosure notices are truly useful to customers. Tower Group security analyst George Tubin said disclosure letters are "fantastic" because they act as a deterrent. Companies that want to avoid sending such letters may be more likely to take the steps that will prevent a security breach from happening in the first place. Barker said the goal is to keep customers as informed as possible without unnecessarily cranking up the fear factor. When people regularly receive letters of gloom and doom, he said, they are more likely to grow apathetic to the threats around them.
Panelists said there is a silver lining around the data breach cloud: The constant headlines have increased awareness and companies are taking the need for a security program much more seriously than they would have otherwise.
Bob Russo, general manager of the PCI Security Standards Council, said the threat of a data breach has motivated many companies to take their PCI DSS compliance seriously. "When a data breach notification letter goes out it makes my job easier," he said. "People need to hear about it."
If anything, he said more companies are clinging to the PCI DSS as a roadmap to prevent data breaches. "I get calls from people who want to use PCI DSS as the basis for their own standards," he said. "Some companies are dragged into compliance kicking and screaming," but there's nothing like the prospect of brand reputation damage and lawsuits to get them to do what's necessary to secure systems and respond properly when there is a breach.