Question

Case Study

On January 17, 2008, TJX Companies,

Inc., a leading retailer in the field of clothing

and home fashions which operates

stores domestically and internationally,

announced that the organization had

experienced an unauthorized intrusion

of its computer systems.1 Customer

information, including credit card, debit

card, and driver’s license numbers,

had been compromised. This intrusion

had been discovered in December

of 2006, and it was thought that data

and information as far back as 2003 had

been accessed and/or stolen. At the

time, approximately 45.6 million credit

card numbers had been stolen. In October

of 2007, the number rose to 94

million accounts.2 This has become the

largest known credit card theft or unauthorized

intrusion in history.

Because of the lax security systems at

TJX, the hackers had an open doorway to the company’s entire computer system.

In 2005, hackers used a laptop outside

of one of TJX’s stores in Minnesota and

easily cracked the code to enter into the

WiFi network. Once in, the hackers were

able to access customer databases at

the corporate headquarters in Framingham,

Massachusetts. The hackers gained

access to millions of credit card and debit

card numbers, information on refund

transactions, and customer addresses

and phone numbers. The hackers reportedly

used the stolen information to purchase

over $8 million in merchandise.3

TJX used an outdated WEP (wired equivalent

privacy) to secure its networks. In

2001, hackers were able to break the

code of WEPs, which made TJX highly

vulnerable to an intrusion. (Similar data

breaches have occurred within the past

few years at the firms ChoicePoint and

CardSystems Solutions.) In August of

2007, a Ukrainian man, Maksym Yastremskiy,

was arrested in Turkey as a

potential suspect in the TJX case. According

to police officials, Yastremskiy

is “one of the world’s important and

well-known computer pirates.”4 He led

two other men in the scheme.5

Even though the intrusion was discovered

in December of 2006, the company

did not publicize it until a month later.

Consumers felt that they should have

been notified of the breach once it was

discovered. However, TJX complied with

law enforcement and kept the information

confidential until it was told it could

notify the public. Retail companies such

as TJX that use credit card processing

are required to comply with the Payment

Card Industry Data Security Standard

(PCI DSS). The PCI DSS is a set of requirements

with the purpose of maximizing

the security of credit and debit card

transactions. A majority of firms have not

complied with this standard, as was the

case with TJX Companies.

A number of stakeholders were involved

in this break-in: consumers, who were put

at great risk; banks; TJX Companies (its

shareholders, management, employees,

and other internal parties who did business

with and were invested in the firm);

the credit card company; the law enforcement

and justice systems; the public;

other retail firms; and the media, to name

a few. CEO Carol Meyrowitz took an active

role in informing the public in statements

on the company’s Web sites and

through the media about the company’s

responsibility and obligations to its stakeholders

during and after the investigation.

TJX also contacted various agencies to

help with the investigation. A Web site

and hotline were established to answer

customer questions and concerns.

The intrusion cost TJX approximately

$118 million in after-tax cash charges

and $21 million in future charges. Although

TJX incurred substantial legal,

reimbursement, and improvement

costs, the company’s pre-tax sales

were not negatively affected. Sales during

the second quarter of fiscal year

2008 increased compared to second

quarter sales from fiscal year 2007.6

At the end of 2007, TJX reached a settlement

agreement with six banks and

bankers’ associations in response to a

class action lawsuit against the company.

7 In the spring of 2008, TJX settled

in separate agreements with Visa

($40.9 million with 80% acceptance)

and MasterCard International (a maximum

of $24 million with 90% minimum

acceptance). There was almost full acceptance

of the alternative recovery offers

by eligible MasterCard accounts.8

Note that those issuers who accept the

agreements and terms release and indemnify

TJX” and its acquiring banks on

their claims, the claims of their affiliated

issuers, and those of their sponsored

issuers as MasterCard issuers related

to the intrusion. That includes claims

in putative class actions in federal and

Massachusetts state courts.“9

Affected customers were reimbursed

for costs such as replacing their driver’s

license and other forms of identification

and were offered vouchers at TJX stores

and free monitoring of their credit cards

for three years. Customer discontent was

reportedly expressed after the intrusion;

however, customer loyalty returned,10 as

was evidenced in sales numbers. 4.1 MANAGING CORPORATE SOCIAL RESPONSIBILITY

IN THE MARKETPLACE

“Corporate social responsibility” (CSR) involves an organization’s duty and

obligation to respond to its stakeholders’ and the stockholders’ economic,

legal, ethical, and philanthropic concerns and issues.11 This definition

encompasses both the social concerns of stakeholders and the economic

and corporate interests of corporations and their stockholders. Generally,

society cannot function without the economic, social, and philantropic

benefits that corporations provide. Leaders in corporations who use

a stakeholder approach commit to serving broader goals, in addition to

economic and financial interests, of those whom they serve, including the

public.

Managing corporate social responsibility in the marketplace with multiple

stakeholder interests is not easy. As discussed in Chapter 3, ethics

at the personal and professional levels requires reasoned and principled

thinking, as well as creativity and courage. When ethics and social responsibility

escalate to the corporate level, where companies must make

decisions that affect governments, competitors, communities, stockholders,

suppliers, distributors, the public, and customers (who are also consumers),

moral issues increase in complexity, as the TJX security breach

opening case illustrated. For organizational leaders and professionals, the

moral locus of authority involves not only individual conscience but also

corporate governance and laws, collective values, and consequences that

affect millions of people locally, regionally, and globally.

In the opening case, the TJX executives had to deal not only with

their own customers, but with banks (in a class action suit), credit card

companies, the media, competitors, and a network of suppliers and distributors—

as well as their own reputation. What may have seemed like

a routine technical security problem turned into the largest-known credit

card theft/unauthorized intrusion in history. Had the CEO not stepped in

and became a responsible spokesperson and decision maker for the company,

customers may not have responded in kind.

The basis of corporate social responsibility in the marketplace begins

with a question: What is the philosophical and ethical context from which

corporate social responsibilty and ethical decisions are made? For example,

not everyone is convinced that businesses should be as concerned about

ethics and social responsibility as they are about profits. Many believe

that ethics and social responsibility are important, but not as important as a

corporation’s performance. This classical debate—and seeming dichotomy—

between performance, profitability, and “doing the right thing” continues to

surface not only with regard to corporate social responsibility, but also in political

parties and debates over personal and professional ethics. The roots of

corporate social responsibility extend to the topic of what a “free-market” is

and how corporations should operate in free markets. Stated another way,

does the market sufficiently discipline and weed out inefficient “bad apples”

and wrongdoers, thereby saving corporations the costs of having to support

“soft” ethics programs?

A security breach in a technological world is one of the biggest issues facing companies today. Cyber security is a critical consideration for any business but time and time again businesses are faced with the fear of hacking into their customers' information. Review the TJX case in the textbook. What are the ethical issues impacting the TJX case? What are the long term effects and how might this company win back trust?

Answer 1

Following are the ethical issues impacting the TJX case:

1. The basic definition of Corporate social responsibility” (CSR) of an organization is about its obligation towards its stakeholders’ and the stockholders’ economic, legal, ethical, and philanthropic concerns and issues. Here being ethical is of prime importance.
2. TJX must be accountable for all the information they are having about their clients and it must make sure to protect it. However, once the breach has happened TJX did the right thing by going to the public and informing the stakeholders.
3. The main goal of any organization of being in to the business is to make profit for its shareholders. But, at what cost, is the real question.

Long Term Effects:

1. TJX is going to lose the trust of its existing customers and other stakeholders. Many will part ways with TJX.
2. Due to negative publicity it will be very difficult to acquire new customer.
3. Other stakeholder who were put at risk like banks, TJX Companies (its shareholders, management, employees, and other internal parties who did business with and were invested in the firm), the credit card company, the law enforcement and justice systems, the public, other retail firms, and the media, will be very reluctant to get associated with TJX in the future.
4. Even hiring a good employee will prove difficult for TJX, as no one wants to get associated with un-ethical firm.

The Damage Control:

1. The first and foremost thing is to ensure, no such accident happen in the future. TJX can ensure this by investing sufficiently in its IT security system.
2. TJX should reach out to all those who were affected by the breach personally and apologies to them for what has happened.
3. To communicate to all its stakeholders that TJX will be highly ethical firm and will ensure fully complying with its obligations.