TJX, the U.S.-based owner of Winners and HomeSense stores, had a massive security breach which put the personal information of millions of customers at risk.
The company collected driver’s licence numbers, credit card numbers and transaction records from clients and held onto that information indefinitely.
The Privacy Commissioner of Canada highlighted this breach to the media in 2007. And made several observations:
- The security measures that TJX put in place relied on weak encryption technology
- Thieves were able to hack into the company’s database and use the information
- The TJX breach is a dramatic example of how keeping large amounts of sensitive information — particularly information that is not required for business purposes — for a long time can be a serious liability
The Privacy Commissioner also made one other key comment:
The message for retailers is think carefully about how you use personal information. …Think about what information you’re collecting, why you have to collect it, how long you should keep it and how safely it is stored.
Down here, in the US of A, there are some retailers that request photo id to confirm a purchase or to check-in at a hotel. This happened to me several times over the past week. Yesterday, we stopped by a hiking store to pick up a few items. About thirty dollars. I paid with my American Express card. And I was asked for photo id.
The cashier gave a very cursory glance of the id from about three feet away.
So I asked her.
“Why do you ask for photo id?”
“Well, so many people steal credit cards.Â We do this to make sure that you have a right to use the card.”
Great Smoky Mountains receives somewhere in excess of 10 million visitors a year. And this store is in the prime shopping area.
“How many times have you found someone using another person’s card?”
“Over the past ten years? Once.”
“Does the card company ask you to demand photo id?”
“No. It is our choice.”
The cashier, who I assumed to be the owner, went on at length to defend her need to see photo id whenever a purchase is made. She summarized her position by saying: “It’s the right thing to do.”
No. It is not the right thing to do. Demanding proof of identity is not a moral act nor is it a legal requirement. It is simply a discretionary “policy” that treats every customer as a suspect.
The card company assumes the responsibility to ensure the appropriate distribution of their product. They also assume the liability for fraudulent use of their product. If they have a concern that the level of fraud is too high, then they can take additional steps — like the recent introduction of smart cards where an individual must have a PIN as well as the original card to make a purchase.
To interrogate customers at point of sale to confirm their identity is an open invitation for identity theft particularly if that information is captured and retained.
I thanked her for her point of view. I also wondered whether, in ten years time, I would have a similar discussion with a retailer defending their policy to take a DNA sample for a thirty dollar purchase.