The TJX company, parent of TK and TJ Maxx, isn’t the only party looking foolish in the light of last week’s revelation that raiders had rifled through the company’s poorly-protected databases for customer data. UK law-makers too should take a look at their actions – or lack of them.
The theft is said to affect a large number of customers across the US, the UK and Ireland, but the more interesting story from the UK side is that we have found out about such a massive compromise at all. Incredibly, the public reason that TJX had to confess to the worst data theft disaster ever to be publically notified was that it was legally bound to under disclosure laws in its registered state of Massachusetts.
As we’ve never stopped pointing out , there is no compulsion for businesses in the UK to tell customers how their data might have been compromised, or even if it has been secured at all. So, it is thanks to law-makers thousands of miles away that a large number of people in the UK will have to scan their credit card statements for some months to come.
Does the UK need similar laws? Yes, but they are not likely to get any in the foreseeable future. Instead, the law that just changed, as of April 1st in fact, is that of disclosing credit and debit card theft to the authorities. From now on, anyone suspecting credit card fraud has to report the theft not to the police, but to the card issuer. There are complex reasons for this change – it promises to make possible better fraud reporting for instance – but it is extraordinary that the card issuers are not required to return the compliment.