The site pogowasright is carrying a post in the Electronic Data Records Law blog by Benjamin Wright, an attorney and "specialist in email compliance and risk management controls and services." I usually tend to offer commentary on stories where a data breach could have been avoided via the use of disk encryption. But, I'd like to cover this latest post by Wright because it seems to me that he's falling for a particular bias, not in the sense of prejudice, but one that is more "clinical" in nature: outcome bias. And many people tend to fall for it, if behavioral psychologists are to be believed (I have yet to find a reason not to believe them). A good definition of outcome bias is found at the Wikipedia site:
"One will often judge a past decision by its ultimate outcome instead of based on the quality of the decision at the time it was made, given what was known at that time. This is an error because no decision maker ever knows whether or not a calculated risk will turn out for the best. The actual outcome of the decision will often be determined by chance, with some risks working out and others not. Individuals whose judgments are influenced by outcome bias are seemingly holding decision makers responsible for events beyond their control." [emphasis mine]
Why do I bring this up? Because Wright's arguments are mostly based on what was found after the entire debacle died down a bit, ending in the culmination of the indictments of eleven people who were associated with the TJX breach. (I should note, however, that because the crime was international in nature, only three are actually under custody. It's not known whether the remaining eight will ever be found. Heck, one of them is known only via his online alias).
$65 Million vs. $1 Million
The main point that Wright makes is that the "the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in." As evidence, he notes TJX's $65 million settlement with credit card issuers. The actual cost of fraud-although Wright notes that a final accounting is yet to be published-currently stands at tens of thousands of dollars in cash and at least one million dollars in fraudulently bought gift cards.
$65 million vs. $1 million and change-it does look like an overreaction. The $65 million was used to cover the reissue of all the cards that were believed to be compromised at TJX. An additional point that Wright made was that obviously there was no need to have all the cards reissued: look at that 65 to 1 disparity. I agree; while dollars cannot be directly translated into the number of cards affected-obviously charges per card will differ-doesn't it look like only replacing, say, a third of the cards, would've done the trick?
However, Wright can only make this observation because the perpetrators weren't able to make further charges: the old credit cards were voided. If a mass reissue of cards was not done by the credit card companies, who knows how much higher the $1 million plus figure could have climbed?
Granted, these hackers had millions upon millions of cards with them, and had collected them over a period of 18 months, giving them ample time to make some serious damage. But there is no law stating that hackers ought to carry out their illicit activities in a linear fashion: perhaps they were starting out small to see if anyone noticed, and planned on bigger activities further on. We'll never know, because the perps were stopped dead in their tracks. If the cards are void, the criminals can't carry out their fraudulent activities; it's that simple. So, the same action that Wright is criticizing is probably the reason why that figure of fraudulent charges, $1 million and change, stayed so low. Remember, the cards weren't reissued until mid 2007. The criminals were identified and three were arrested just days ago. If cards hadn't been reissued...one year is a long time, and someone could have done some real damage.
Plus, I did find an article at the WSJ where it's stated that the incident could be tied to "$8 million worth of gift cards and used them to buy flat-screen TVs, computers and other electronics across 50 of the state's 67 counties." The above $1 million could be quite an underestimate.
Moral Hazard
Wright also points out that the credit card system is robust, and that "the multiform layers of controls in the system make it very hard and dangerous for criminals to capitalize on data stolen from a merchant." OK, I believe that.
I mean, I've experienced a small part of it. I know my bank will call me once in a while when I make a purchase that seems out of the ordinary. I also know that it costs money to staff these people who call me. I'd imagine that an increase in suspicious activities in the system (thanks to the breach of credit card data) will result in more people having to be staffed in order to call more customers, more often. Who pays these people? Certainly not TJX.
Plus, banks are not hooked up to TSA's database (which is a good thing). I note this because banks don't know whether you're on vacation or not. Let's say that you decide to take a vacation to Tahiti, and flash your credit card to buy coral necklaces for yourself, your friends, and family. Your card gets declined because it's outside your normal activity (which what a vacation technically happens to be). How are these bank representatives going to reach you to confirm the purchase? You're on vacation. (This doesn't have to be relegated to vacations only, by the way. It happens often enough that for some people it's more than an inconvenience.)
By nature, such actions are a double edged sword. When a bank stops a sale because it suspects fraud-and it happens to be fraud-they get praise from the customer; otherwise, if it's a legitimate charge, the bank gets ill will, perhaps a random blog post about the "stupidity" of certain banks. The bank never knows on what end the sword will fall. Why should the bank have to juggle this PR problem when it was a retailer that screwed up?
I don't know what other systems are in place, but I'd imagine it means that the banks would be heavily involved in the process. Why should banks have to take on the ongoing costs of a mistake a merchant made? Especially when said merchant was a) not in compliance with the rules and b) knew it was not in compliance with the rules and decided to keep the system that way? TJX supposedly used a weaker form of encryption to secure their wireless data, knowing it didn't provide adequate protection because they wanted to save money.
Let's remember that no one knew what the end result would have been when the TJX situation was revealed. Not knowing what would happen, the only way to fix the situation would have been to reissue cards, and have TJX pay for it, since it was their fault. Maybe it's a lack of imagination on my part, but pretty much any other solution would have meant that TJX was getting off the hook for actual damages as far as they knew, one year ago. Anything else would have meant letting TJX off the hook, and that may have created a moral hazard industry wide.
The Irony
What I find ironic is that, while TJX didn't understand the value of encryption, the hackers did, twofold: first, when breaking into TJX due to the merchant's weak encryption; and second, when they decided that file encryption was the way to keep safe their ill gotten data.
Tim Maliyil is CEO and founder of Data Guard Systems, Inc., a leading developer and marketer of endpoint managed security services and online business management software, based in New York City. Data Guard Systems is an Application Service Provider (ASP) and offers intuitive business management software to various industries. Data Guard's flagship product is the AlertBoot data security managed service. AlertBoot offers full disk encryption and a comprehensive suite of disk security solutions as a centralized, managed service. Deployment times and support are significantly reduced, thus resulting in a lower overall total cost of ownership for an organization. Prior to founding Data Guard Systems, Mr. Maliyil served as the Director of IT at HarborTech, a privately-held supply chain house for the semiconductor industry. He also held various positions at Netegrity (now Computer Associates). Mr. Maliyil holds a B.S. in Computer Science from Tufts University.
"One will often judge a past decision by its ultimate outcome instead of based on the quality of the decision at the time it was made, given what was known at that time. This is an error because no decision maker ever knows whether or not a calculated risk will turn out for the best. The actual outcome of the decision will often be determined by chance, with some risks working out and others not. Individuals whose judgments are influenced by outcome bias are seemingly holding decision makers responsible for events beyond their control." [emphasis mine]
Why do I bring this up? Because Wright's arguments are mostly based on what was found after the entire debacle died down a bit, ending in the culmination of the indictments of eleven people who were associated with the TJX breach. (I should note, however, that because the crime was international in nature, only three are actually under custody. It's not known whether the remaining eight will ever be found. Heck, one of them is known only via his online alias).
$65 Million vs. $1 Million
The main point that Wright makes is that the "the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in." As evidence, he notes TJX's $65 million settlement with credit card issuers. The actual cost of fraud-although Wright notes that a final accounting is yet to be published-currently stands at tens of thousands of dollars in cash and at least one million dollars in fraudulently bought gift cards.
$65 million vs. $1 million and change-it does look like an overreaction. The $65 million was used to cover the reissue of all the cards that were believed to be compromised at TJX. An additional point that Wright made was that obviously there was no need to have all the cards reissued: look at that 65 to 1 disparity. I agree; while dollars cannot be directly translated into the number of cards affected-obviously charges per card will differ-doesn't it look like only replacing, say, a third of the cards, would've done the trick?
However, Wright can only make this observation because the perpetrators weren't able to make further charges: the old credit cards were voided. If a mass reissue of cards was not done by the credit card companies, who knows how much higher the $1 million plus figure could have climbed?
Granted, these hackers had millions upon millions of cards with them, and had collected them over a period of 18 months, giving them ample time to make some serious damage. But there is no law stating that hackers ought to carry out their illicit activities in a linear fashion: perhaps they were starting out small to see if anyone noticed, and planned on bigger activities further on. We'll never know, because the perps were stopped dead in their tracks. If the cards are void, the criminals can't carry out their fraudulent activities; it's that simple. So, the same action that Wright is criticizing is probably the reason why that figure of fraudulent charges, $1 million and change, stayed so low. Remember, the cards weren't reissued until mid 2007. The criminals were identified and three were arrested just days ago. If cards hadn't been reissued...one year is a long time, and someone could have done some real damage.
Plus, I did find an article at the WSJ where it's stated that the incident could be tied to "$8 million worth of gift cards and used them to buy flat-screen TVs, computers and other electronics across 50 of the state's 67 counties." The above $1 million could be quite an underestimate.
Moral Hazard
Wright also points out that the credit card system is robust, and that "the multiform layers of controls in the system make it very hard and dangerous for criminals to capitalize on data stolen from a merchant." OK, I believe that.
I mean, I've experienced a small part of it. I know my bank will call me once in a while when I make a purchase that seems out of the ordinary. I also know that it costs money to staff these people who call me. I'd imagine that an increase in suspicious activities in the system (thanks to the breach of credit card data) will result in more people having to be staffed in order to call more customers, more often. Who pays these people? Certainly not TJX.
Plus, banks are not hooked up to TSA's database (which is a good thing). I note this because banks don't know whether you're on vacation or not. Let's say that you decide to take a vacation to Tahiti, and flash your credit card to buy coral necklaces for yourself, your friends, and family. Your card gets declined because it's outside your normal activity (which what a vacation technically happens to be). How are these bank representatives going to reach you to confirm the purchase? You're on vacation. (This doesn't have to be relegated to vacations only, by the way. It happens often enough that for some people it's more than an inconvenience.)
By nature, such actions are a double edged sword. When a bank stops a sale because it suspects fraud-and it happens to be fraud-they get praise from the customer; otherwise, if it's a legitimate charge, the bank gets ill will, perhaps a random blog post about the "stupidity" of certain banks. The bank never knows on what end the sword will fall. Why should the bank have to juggle this PR problem when it was a retailer that screwed up?
I don't know what other systems are in place, but I'd imagine it means that the banks would be heavily involved in the process. Why should banks have to take on the ongoing costs of a mistake a merchant made? Especially when said merchant was a) not in compliance with the rules and b) knew it was not in compliance with the rules and decided to keep the system that way? TJX supposedly used a weaker form of encryption to secure their wireless data, knowing it didn't provide adequate protection because they wanted to save money.
Let's remember that no one knew what the end result would have been when the TJX situation was revealed. Not knowing what would happen, the only way to fix the situation would have been to reissue cards, and have TJX pay for it, since it was their fault. Maybe it's a lack of imagination on my part, but pretty much any other solution would have meant that TJX was getting off the hook for actual damages as far as they knew, one year ago. Anything else would have meant letting TJX off the hook, and that may have created a moral hazard industry wide.
The Irony
What I find ironic is that, while TJX didn't understand the value of encryption, the hackers did, twofold: first, when breaking into TJX due to the merchant's weak encryption; and second, when they decided that file encryption was the way to keep safe their ill gotten data.
Tim Maliyil is CEO and founder of Data Guard Systems, Inc., a leading developer and marketer of endpoint managed security services and online business management software, based in New York City. Data Guard Systems is an Application Service Provider (ASP) and offers intuitive business management software to various industries. Data Guard's flagship product is the AlertBoot data security managed service. AlertBoot offers full disk encryption and a comprehensive suite of disk security solutions as a centralized, managed service. Deployment times and support are significantly reduced, thus resulting in a lower overall total cost of ownership for an organization. Prior to founding Data Guard Systems, Mr. Maliyil served as the Director of IT at HarborTech, a privately-held supply chain house for the semiconductor industry. He also held various positions at Netegrity (now Computer Associates). Mr. Maliyil holds a B.S. in Computer Science from Tufts University.
