Flawed Assumptions in the Albert Gonzalez Case

Albert Gonzalez, 28, of Miami, Fla., is charged with swiping credit and debit card numbers of more than 170 million accounts in what prosecutors call the largest identity fraud case in U.S. history. The hacker, who was formerly an informant for the U.S. Secret Service, has reportedly agreed to plead guilty to conspiracy, wire fraud and aggravated identity theft charges.
U.S. Law Enforcement Handout
This column was written by Evan Schuman, the editor of StorefrontBacktalk, a site that tracks retail technology, e-commerce and security issues. Retail Realities appears every Friday. Evan can be reached at E-mail and on Twitter.
As attorneys and retailers argued recently about the sentencing and secrecy of Albert Gonzalez's criminal empire, various fundamental retail realities were forgotten.

Consider, for example, arguments on both sides that JCPenney and Wet Seal would have their stock prices seriously hurt if word of their involvement leaked out. The federal judge overseeing that discussion said any stock impact from the retailer's own doing, but he neglected to point out that there is absolutely no reason to believe that there will be any stock impact.

When JCPenney's lawyer made that argument, the judge should have said, "OK. Well, the names of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven have already been identified as victims. Show me what kind of stock impact any of them had, limiting it, of course, to stock changes that related to the breach disclosure." Hint: none of those chains suffered any breach-disclosure-related stock (or, for that matter, revenue) impact.

TJX specifically felt compelled to note in a federal filing last month that it suffered zero stock impact as a result of the breach disclosure. But that shouldn't be a surprise because none of the victims have reported any-not even a little-revenue drops. This brings us to the next logic disconnect.

JCPenney Attorney Michael Ricciuti argued in a federal filing that disclosing his client's name "would only cause financial harm to the company, alarm customers needlessly." That's a good argument, were it not for that fact that it's ridiculous. The assumption that such a disclosure could cause financial harm and alarm customers is based on the belief that consumers care in any way about retail security.

If TJX and Hannaford-and the others-have taught us nothing else, they've established the seemingly limitless depth of American consumer apathy regarding retail security. First, consumers aren't paying any attention. But if they did, they wouldn't care, thanks to the card brands' zero liability program. That's why no meaningful consumer financial losses have been reported in any of these breaches.

From JCPenney Attorney Kevin Walsh, in another filing: "Consumer confidence in the security of JCPenney's computer systems is almost as important as the reality of that security." There's a lot of truth in that statement, but it skates over the fact that "consumer confidence" is predicated on that consumer giving a flying magstripe in the first place.

So much for consumer apathy. Let's move on to retailer cynicism. Here's a comment from Assistant U.S. Attorney Stephen Heymann, in a letter to U.S. District Court Judge Douglas P. Woodlock: "Knowing that card holders will be concerned that their credit or debit information has been put at risk, if they know it, provides an incentive to companies to invest in the protections their customers want. Transparency makes the market work in this area."

Beyond the fact that consumer apathy undermines the logical premise of Heymann's comment, retailer cynicism now plays a very key role. Premise One: No system, regardless of how well-funded, is bulletproof. Premise Two: In this weak economic climate, the only things that matter are boosting profits, revenue and marketshare, in that order. Premise Three: Putting in more sophisticated encryption is not going to change Premises One or Two.

But is the threat of being revealed to a public that is more interested in American Idol rankings than in whether their local supermarket is selling their debit card data on the black market such a scary thing?

As a practical matter, retailers will do what PCI requires them to do and probably not a heck of a lot more than that. Show me the board that will insist they do materially more and I'll buy lunch for you and 100 of your closest friends.

Two related notes: JCPenney did aggressively try and keep its name out of the public dockets, but it didn't deny that it was the retailer, at least to the best of our ability to determine. Others made such denials, but we can't trace any to the chain itself. No one can prove a negative, but it looks like JCPenney was shooting straight.

Speaking of shooting straight, when the federal filings were unsealed Monday (March 29), we here at StorefrontBacktalk were blushing. Two stories covering the case had been introduced as evidence: one from JCPenney and the other from the Justice Department. Both stories came from us.

As long as we're blushing, let's place this under the heading of "You Read It Here First And You Probably Will Always Read It Here First." We've been pushing coverage of the Gonzalez case since the earliest reports of the TJX breakin. We were the first publication to report on the unidentified retailer in the Massachusetts indictment, back in August 2008.

We were also the first media outlet to report that Target was the unidentified retailer from Massachusetts and that JCPenney was the unidentified retailer from New Jersey back in August of last year, some five months before Target fessed up. And then last week, we reported the identity of Wet Seal and the court's confirmation of JCPenney more than three days anyone else could confirm it.

We don't know what other surprises retail technology and E-Commerce will deliver next week and every week thereafter, but we'll do everything we can to continue delivering it to you first. End of commercial.
By Evan Schuman
Special to CBSNews.com