For the London Free Press – October 22, 2007

Read this on Canoe

The Canadian and Alberta privacy commissioners recently released their findings on the TJX privacy breach.

The commissioners found that TJX failed on basic privacy principles. The frustrating part is that while these basic privacy concepts have been promoted by privacy advocates and legislation for years, they are often not followed.

Privacy laws and issues can be complex in both theory and practice — but in essence come down to three basic high level points. Collect, use and disclose only the minimum personal information necessary, keep it only as long as it’s actually needed and secure it properly while you have it.

Too often organizations don’t take a crtical look at their information practices and needs from that high-level perspective.

In December 2006, TJX Cos., which owns such retail stores as Winners and HomeSense, had a major security breach. The information of approximately 45.7 million credit and debit cards were jeopardized, here in Canada as well as in the United States. The subsequent privacy commissioner inquiries determined the retailer was keeping too much sensitive information, was keeping it for too long a period of time following the sale transaction and did not have adequate encryption safeguards.

While TJX was the subject of the inquiry, it is certainly not the only entity needing to take a second look at its privacy, technology and security systems. Retailers should learn from the mistakes of TJX and avoid falling into the same traps that allowed the security breach.

A joint press release of the Privacy Commissioners of Canada and Alberta stated: “The TJX breach is a dramatic example of how keeping large amounts of sensitive information — particularly information that is not required for business purposes — for a long time can be a serious liability.”

As consumers, we should question the practices of retailers when they ask for information about us. When making a return, for example, retailers are entitled to ask to see ID for fraud prevention purposes, but they should not record the details. Retailers are obligated to explain what they are using our information for.

Ask why the information is being gathered, and who is going to use it. Consumers need to become aware of what is being done with their information after their credit or debit cards are swiped, and what becomes of their information at the end of the day.

For example, TJX has implemented software that generates a unique identification number where when entering driver’s license numbers or other forms of identification for non-receipted returns, rather than keeping the license number itself.

Another lesson is that privacy protections must be reviewed and updated regularly. The Commissioners were critical of the time it took TJX to upgrade its security protocols. Organizations often have a difficult time determining what IT security is necessary or appropriate. High levels of protection often come with onerous requirements for overhead and management. Accepted industry standards may be unclear or uncertain.

The risks of security breaches can only be minimized if organizations stay on top of developments in the security area, and implement improvements as best they can.