The interesting thing about the TJX caper is not that TJX lost the credit card data of 96 million consumers (about 29 million MasterCard victims and 65 million Visa victims). The cost, after all, will be picked up by the issuers of the credit cards. The interesting thing is that, from a business perspective, it appears not to have adversely affected TJX. It might matter to customers who become the victims of identity fraud and the banks who have to cover the fraudulent use of credit card numbers, but it has not affected TJX. Indeed, unless TJX loses lawsuits by banks, it appears to confirm the oftheld (albeit unethical) belief that protective measures are window dressing, and that the minimal amount should be spent on them.
This same less than ethical logic springs up everywhere. We all remember cases where a manufacturer would balance the cost of reimbursing for customers who died as a result of a defective part against the cost of recalling the product. In many cases they opt for the less expensive option of buying off the families of the dead. From a business perspective, this makes sense: If it cost $100 million to do a recall, and the statistical anticipation is that 3 people might die, then paying $20 million each to buy a new wife, husband, or child to replace the one that died makes business sense.
Now, sometimes there is justification for bad things happening, particularly in the case of changing technology. It would not be beyond imagination that TJX was, in fact, in compliance with all current standards for protecting customer information, and believed in good faith that they were doing everything they could to protect customer information. If this were the case (though their claim appears reported to be more that everyone else was doing it, too), one would be hard pressed to find fault. To find an equivalent to this, think of cars. If a loved one dies in an accident today because the seat belt design was defective, you would doubtless blame the manufacturer. But the Sports Car Club of America didn’t require competing drivers to wear lap belts until 1954, and Ford and Chrysler didn’t offer lap belts in front at an option on some models until 1956. Nils Bohlin’s lap-and-shoulder belt was introduced by Volvo in 1959, so if the car was your beltless restoration from the ‘40s or early ‘50s you shouldn’t expect them to have original seat belts.
That said, it is clear that in many cases the letter of the law is not quite the same as the spirit of the law. Some companies have formal ethical standards in place (LUBRINCO does) that take precedence over profit. Some run by the what-would-your-mother-think-if-she-read-this in-the-paper standard.
Others simply opt for profit over principle.
Because of lack of ethics we are saddled with too many onerous laws. We can legislate compliance but not ethics. For example, Sarbanes-Oxley exists not because of poor record keeping, but because of dishonesty, theft, and fraud. When unethical behavior reaches a level too obvious to be ignored, we look for remedy either to the courts or to more onerous legislation.