Sunday, September 30, 2007
Canada's privacy commission investigated the TJX breach
You may remember the TJX data breach: 45 million customers of TJ Maxx and related stores had their credit card numbers stolen.
Some Canadians were victimized at stores in Canada, and Canada has some real privacy laws. The government investigated.
Canada's privacy regulations expect that businesses will tell customers why they're accumulating personal information, collect only what they need, and get rid of it as soon as it's no longer needed.
The stores failed on all counts. Customer credit card numbers were kept longer than required by the bank contracts, allegedly for use in "troubleshooting" credit card processing. The Canadian government never got an explanation that satisfied them about why that was necessary, and the stores never told the customers that their credit card numbers would be kept for years.
The government report actually seemed more worried about another data breach, of customer driver's license numbers. The report points out that those are valuable to crooks and hard for the innocent to change. Here the stores had a good business reason to collect personal information, because they were asking for ID from people returning merchandise without a receipt. Seems logical at first.
But this is a good example of storing more information than is really needed. What TJX could have done, and what they did do after talking to the government, was store the result of scrambling the driver's license number in a way that can't be unscrambled. Then every time someone returns something without a receipt, the store can scramble the driver's license number again, check the records, and see whether the same person has returned an unusual amount of merchandise, all without storing the actual driver's license number.
The US could use some privacy laws like Canada's. Does anyone ever tell you how long they're keeping your personal information, or what they plan to do with it?
|
Some Canadians were victimized at stores in Canada, and Canada has some real privacy laws. The government investigated.
Canada's privacy regulations expect that businesses will tell customers why they're accumulating personal information, collect only what they need, and get rid of it as soon as it's no longer needed.
The stores failed on all counts. Customer credit card numbers were kept longer than required by the bank contracts, allegedly for use in "troubleshooting" credit card processing. The Canadian government never got an explanation that satisfied them about why that was necessary, and the stores never told the customers that their credit card numbers would be kept for years.
The government report actually seemed more worried about another data breach, of customer driver's license numbers. The report points out that those are valuable to crooks and hard for the innocent to change. Here the stores had a good business reason to collect personal information, because they were asking for ID from people returning merchandise without a receipt. Seems logical at first.
But this is a good example of storing more information than is really needed. What TJX could have done, and what they did do after talking to the government, was store the result of scrambling the driver's license number in a way that can't be unscrambled. Then every time someone returns something without a receipt, the store can scramble the driver's license number again, check the records, and see whether the same person has returned an unusual amount of merchandise, all without storing the actual driver's license number.
The US could use some privacy laws like Canada's. Does anyone ever tell you how long they're keeping your personal information, or what they plan to do with it?
# posted by Frederick @ 7:55 PM Email to a friend:
Haloscan: they provide trackback