The indictments allege that the computer breach at TJX -- which was hardest hit by the scheme -- was part of a much broader conspiracy involving the other retailers that lasted between 2003 and 2005. Although the government said the defendants managed to steal more than 40 million credit- and debit-card numbers, some consultants in court testimony estimated that 100 million account numbers were compromised in the TJX case alone.

Also this week, the Federal Trade Commission announced it had settled its complaint against the TJX stores for failure to maintain adequate security safeguards. If you are wondering why the FTC did not impose a civil penalty against TJX, as it did against ChoicePoint two years ago, it is because ChoicePoint violated the Fair Credit Reporting Act, which gave the FTC authority to impose a penalty for a first offense. That FCRA civil penalty authority does not generally exist for first violations of Section 5 of the FTC Act, its main statutory weapon. The FTC recently explained to the Senate Commerce Committee the limitations on its civil penalty authority.

These categories of cases, where civil penalties could enable the Commission to better achieve the law enforcement goal of deterrence, include malware (spyware), data security, and telephone records pretexting.

Senator Byron Dorgan (D-ND), has introduced legislation, S 2831, to reauthorize the FTC and grant that missing penalty authority.