The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.
With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:
A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).
Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.
Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.
On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.
Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:
TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.
Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.
TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.
This comes just days after a settlement was announced in the related class action lawsuit.
Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).