Over on The Tech Herald, Steve Ragan takes a somewhat more sympathetic view to J.C. Penney than I have generally taken. Steve writes, in part:
Most of the media reports are painting the picture that J.C. Penney suffered a breach and did nothing. That isn’t entirely true. The company cooperated fully when asked and it was only when the case moved from New Jersey that it sought to keep the J.C. Penney name out of view.
Well, that isn’t true. According to court documents filed by their attorney (see Exhibits B, D, and E), J.C. Penney was vigorously trying to keep its name shielded even while the case was in New Jersey. Steve continues:
J.C. Penney was hacked, but it resolved the issue internally. The only thing it didn’t do was tell the world about what steps had been taken after talking with the Secret Service.
That’s the second thing it didn’t do. The first thing it didn’t do was tell all of its customers that there had been a security breach and that it had been handled with no risk to them. Even if the law did not require disclosure and notification, should the company have been more transparent with its customers? I think so.
J.C. Penney is confident that its fraud detection and prevention measures would have prevented abuse, assuming that the data accessed and disclosed in the ICQ conversation would have been enough to produce a fake store card.
Would have, could have, should have. The bottom line is that as far as I can tell, JCP did not know that there had been a breach until it looked for one after the government alerted them to the breach. If they knew about it before being notified, I would welcome a statement from them to that effect. Given that the chat logs (Exhibit A in filing by U.S. Attorney Stephen Heymann in opposition to protective order) indicate that hackers were seemingly going in and out at will over a period of months and that by December 24, 2007, Gonzalez claimed to have access to their POS network [update/note: JCP denies that Gonzalez had access to POS or any customer databases], does Steve really think that no disclosure to customers was in order? Steve reports that JCP would later claim that the partial card data posted in the chat log was from store cards and was incomplete and that they also claimed that they notified the customers whose partial data were displayed and proactively replaced their cards. But should they have notified all of their customers of the breach and should they have been afforded victim status by the Massachusetts court? Should an entity be allowed a corporate “Whew!” and not have to disclose or be outed by a court?
Even though I may have occasionally characterized an entity as being a victim of breach, for the most part, I do not view entities as victims of breaches. They are conduits to the real victims’ data — the consumers or employees or patients whose data have been collected by and retained by the entity. Indeed, it is not even really clear to me why 18 U.S.C. § 3771 was expanded to include corporations as victims, as that chapter defines a victim as “a person….” That statute is at the crux of companies seeking to shield their identities from public disclosure. But U.S. Attorney Stephen Heyman seemed to agree that corporations can be victims under that statute, as in another motion submitted to the court, he wrote:
There are three broad classes of victims in the present case. First, there are those corporations whose computer networks were compromised by the defendant and his coconspirators. Second, as charges were made to debit and credit cards stolen from corporate victims, the financial loss was primarily passed through to, and borne by, hundreds of issuing banks. Tens of millions of payment and debit cards were stolen during the course of the conspiracy. Third, in some instances, individuals whose payment cards were stolen and fraudulently used suffered financial or other harm that was not, or could not be, passed through to the bank that issued their credit/debit cards.
Both J.C. Penney and Wet Seal were in a similar situation. Although there was clear evidence that the security of their systems had been breached, neither (with the possible exception of some store credit card numbers of J.C. Penney customers) had consumer data accessed or acquired. Neither was under any legal obligation to disclose or notify the public. Both took steps to address the security of their servers. And both companies tried to stop the Massachusetts court from revealing their identities. Although J.C. Penney waged a more vigorous legal campaign and argued more forcefully under seal to protect its identity from disclosure, Wet Seal also filed under seal to protect its identity.
Reading J.C. Penney’s memorandum in support of their motion to intervene, I have to say that they present a pretty compelling argument. Noting that the government had withheld the identity of other victims of the hacker(s) under 18 U.S.C. § 3771, JCP’s attorney argues:
Moreover, prohibiting disclosure of Company A’s identity is appropriate where, as here, “the right to access is outweighed by the interests favoring non-disclosure.” United States v. Salemme, 985 F.Supp. 193, 195 (D. Mass. 1997). “Among the countervailing factors favoring non-disclosure are: (i) prejudicial pretrial publicity; (ii) the danger of impairing law enforcement or judicial efficiency; and (iii) the privacy interests of third parties.” United States v. Salemme, 985 F.Supp. 193, 195 (D. Mass. 1997); see also United States v. Madoff, 626 F.Supp.2d 420 (S.D.N.Y. 2009) (refusing to unseal identifying information concerning victims because their significant privacy interests outweighed the public’s right to know).
[…]
These standards manifestly support non-disclosure of Company A’s identity. Because there is no evidence that customer information was stolen by Gonzalez’s alleged intrusion into Company A, there is no need or purpose in divulging the identity of the victim to the public. The public has not been granted access to Company A’s identity; there is nothing but unsubstantiated speculation by a lone blogger about Company A’s identity, and critically no government confirmation of those (accurate) allegations. The victim, Company A, has objected to the disclosure of its identity from the outset – an objection to which the government has acceded.
And, most importantly, Company A’s privacy interests are strong – disclosure of Company A’s identity would stigmatize Company A and cause unwarranted alarm for its customers and shareholders by erroneously suggesting that the government has concluded its customer data was stolen when it had not, and will likely cause anger that such allegations are being disclosed by the government now after having not been for so long. Indeed, such disclosure provides the public with no useful, current information. And there seems no real possibility of prejudice to the defendant in this case by the allowance of this motion, as he has been advised of Company A’s identity by the government’s filing.
The government in this District has protected the identity of other victims under § 3771. Most importantly, the government – in its own case against this same defendant for the same type of conduct – saw fit not to disclose corporate victims of Gonzalez’s alleged criminal conduct. Rule 112.4 Corporate Disclosure Statement, 08-CR-10233-PBS, Dkt. No. 8 (September 11, 2008).
[…]
Disclosing the identity of a victim like Company A disregards the victim’s “privacy interests [which] are important” under § 3771, and “discourages similarly situated victims from cooperating with law enforcement.” Robinson, 2009 WL 137319, at *3 (citing 18 U.S.C. § 3771(a)(8)).
Okay, that lawyer may not have prevailed but he certainly gave this blogger food for thought. Should these retailers’ names have been made public if other entities that may have suffered breaches were not disclosed? Goose? Gander?