New laws target data security problem

As more details emerge about the recently disclosed security breach at TJX Companies, lawmakers in Massachusetts are considering new laws that would put the onus for paying for such breaches on retailers and merchants, rather than banks and credit unions, the Wall Street Journal reported Thursday.

In Massachusetts, Attorney General Martha Coakley is hoping to force significant changes to the manner in which companies are allowed to collect, store, and protect sensitive consumer data.

"[Coakley] is looking at a number of issues and working with the legislature to see what types of measures we can implement to better protect consumers," said Melissa Sherman, Coakley's press secretary.

But security and privacy experts agree that new laws, in themselves, won't prevent a repeat of the data breach experienced by TJX, which continues to increase in scope. And that the hack of that retailer's network should provide a chilling lesson to businesses that are failing to adequately safeguard their sensitive information.

As illustrated by the retailer's continued discovery of new incidents of IT systems intrusion, enterprises that don't have sufficient security tools in place will have a hard time simply piecing together the details of what has happened when their data is attacked, industry watchers observed.

On Feb. 21, Framingham, Mass.-based TJX announced that it had discovered a new set of IT systems intrusions that exposed the personally identifiable information of an undetermined number of its customers.

Company officials said that in addition to the IT systems break-ins TJX detailed in January 2007 -- which occurred during 2003 and between May and December 2006 -- it now believes that intruders also infiltrated its databases repeatedly during 2005.

TJX offered no further details regarding the nature or volume of the information that was accessed by outsiders during the newly reported intrusions, and said that the firm only recently discovered the additional incidents, which started in July 2005 and continued over a period of time that the company classified only as "subsequent dates," in a statement.

The fact that TJX -- which has already been publicly chided by MasterCard International, among others, for failing to meet established data security standards -- is still unraveling the exact details of the attack serves as testament to the notion that ill-prepared businesses will struggle just to understand how and when they've been penetrated, experts said.

"The scary thing is that we are learning that this type of situation is not uncommon. It's like someone broke into your house by picking the lock and only took items you wouldn't notice were missing," said Richard Mogull, an analyst with Gartner, in Stamford, Conn.

"Companies such as retailers are collecting tons of information and not securing it properly, and if they don't have sufficient monitoring technology in place, which most firms do not, it's surprising that they can figure out what has happened at all," he said.

Makers of security software designed to help companies fight such data loss contend that IT executives, when they first try out one of the programs, are typically shocked to find out where all their sensitive data is located and how it is being handled by employees and business partners.