Can self-regulation ever ensure compliance?

Macy's refusal to hand over records of lead-laced necklace purchases calls into question the mettle of standards such as PCI

Macy's appears bent on proving that self-regulation doesn't work. And in this burgeoning era of accountability, that doesn't bode well for the tech industry, which relies often on self-regulation to ensure compliance with industry standards.

Back in December 2007, children's jewelry that contained lead paint was pulled from shelves in California. According to the L.A. Times, Mattel and others had to recall millions of "lead-laced" necklaces [PDF] from stores.

[ Cut straight to the key news for technology development and IT management, with our once-a-day summary of the top tech news. Subscribe to the InfoWorld Daily newsletter. ]

If you have ever watched a child play with toys like these, you know the first thing a child will do is put the necklace in his or her mouth -- just to see if it tastes good, I suppose.

Macy's was one of the retailers that pulled the necklaces. But when L.A. Deputy District Attorney Daniel Wright asked for the records of customers who bought the necklaces, Macy's refused to turn over any information. At issue is the ability to notify parents who purchased the necklaces for their children.

From the LA Times:

The department store's lack of cooperation comes nearly six months after the district attorney's office filed misdemeanor charges against Macy's, alleging that it falsely advertised necklaces as "lead nickel free" when they contained a significant amount of lead. Deputy Dist. Atty. Daniel Wright said he subpoenaed the customer information from Macy's in January, but the company has balked at turning it over. He said he believes Macy's customers could easily be tracked using records from credit cards and checks.

The hearing to force Macy's to turn over the records goes to court on April 7.

In this era of compliance, Macy's refusal begs contemplation. After all, it is unlikely that the company is taking a Constitutional stand against turning over customer data to the government, given the age-old doctrine that your right to free speech does not permit you to yell fire in a crowded movie theater.

It has been suggested that Macy's lack of cooperation is due to the fact that the retailer is not PCI (Payment Card Industry)-compliant. Federated Department Stores, which purchased Macy's and then changed its name to Macy's, also owns Men's Wearhouse, David's Bridal, Filene's Basement, and Premier Salon in Canada, among others. In short, it is a giant, one of many that Visa has been trying for quite some time to get to comply with its best practices, the PCI Data Security Standard, which as an industry standard, has no actual force of law.

Although the PCI rules lack legal teeth, no large retailer could afford to be out of compliance because all the major banks that process their credit cards would take away that right. As a member of the organization, Macy's would also be subject to heavy fines, as much as $100,000 per month.

Nevertheless, Macy's is not cooperating.

This begs another question: Have the merchant banks and major financial services companies that own these credit cards been looking the other way? In other words, is Macy's too big to blow the whistle on?

The idea that such a huge company never bothered to get its database compliant is shocking but frankly not hard to believe.

In high tech, we've seen this kind of behavior before. Many companies pay lip service to standards, only to ignore them in practice. But at least when this happens, it is usually just an inconvenience, one that can at times cost their customers lots of money to ensure interoperability.

But when Macy's refuses to hand over the names of customers whose children might be in serious danger, it is downright criminal as far as I can see.

Does this give self-regulation a black eye?

It certainly doesn't help.