For an investigation that spanned several months and involved provincial support, the report on the TJX investigation from the Privacy Commissioner of Canada managed to keep things pretty brief.
Among the discoveries in its scant 20 pages: the multi-national retailer didn’t need to collect all those drivers’ licence numbers and phone numbers in its database; it should have disposed of that data at some point; its wireless network wasn’t very secure, either. Is there anything in this report that the average Canadian aware of the TJX situation didn’t already know?
Privacy Commissioner Jennifer Stoddart benefits only from being the first among international authorities taking a closer look at the incident, which compromised the personal information of an estimated 45.7 million individuals.
She still managed to lag behind TJX itself, which outlined a compensation plan — which included three years of credit-monitoring services along with identity theft insurance coverage — a few days before her report was published.
Even though it violated Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as well as similar provincial legislation, TJX isn’t about to face any fines. The privacy commissioner’s chief power, if you can call it that, is to publicly shame organizations to change their ways. Even as they published their report, however, Stoddart and her colleagues shied away from doing that. Stoddart focused instead on the role that consumers play. They shouldn’t be so quick to give out data, she said, a lesson anyone with an Internet connection and an e-mail account would surely have learned by now.
Most IT managers reading Stoddart’s report (assuming any of them bothered) would probably close it with a shrug. Who couldn’t suggest tougher encryption to protect data? The privacy experts need to go beyond surface advice and help technology professionals figure out their place in safeguarding information.
At a company like TJX, the IT department is probably responsible for setting up the databases and the technologies that route information to them. They probably didn’t decide on the collection strategy, and may not be given much direction on retention and disposal. In many organizations a chief privacy officer has been created for this purpose, but surely that doesn’t alleviate IT managers from responsibility.
Imagine a privacy commissioner bold enough to suggest additional powers for IT managers under PIPEDA that would give their ideas greater weight in the decision-making processes concerning consumer data. As the legislation exists today, companies like TJX will likely ignore PIPEDA when a breach like this occurs, because it is just one Act among many. There is little real accountability and few consequences, apart from a few more headlines.
If privacy practices are to improve, public officials may need to learn a lot more about how IT in the enterprise really works. Perhaps then they could come up with recommendations that cause substantial changes to workflow and policy, rather than a document that does little more than state the obvious.