The solution is clear. For retailers to prevent massive and embarrassing information security breaches, they must begin to make fundamental changes in their approach to security.

If you have missed the recent headlines, TJX Cos., the parent of T.J. Maxx and Marshall's, recently disclosed that its computer systems had been compromised and credit card information had been stolen. TJX says the hackers were surreptitiously accessing TJX's computer systems for a year and a half, and obtained information on more than 45 million individual accounts.

This enormous amount of stolen customer information included credit card numbers, debit card numbers, driver's license numbers and customer names and addresses.

How did this happen? According to publicly available information, the investigation into the cause is ongoing, but problems with encryption (or the lack thereof) contributed to the breach. Encryption serves as a foundation for information security in retail environments, and when encryption breaks, a breach is inevitable.

Historically, companies have encountered difficulty in implementing encryption on a large scale. Only recently have advanced technologies emerged that allow both small and large retailers to implement strong encryption across all their stores and back-end processing centers. Most retailers, however, have not begun to implement these new technologies that provide essential protection.

From an economic point of view, Gartner Inc. issued a research note in 2005 explaining that encrypting data could cost as little as $6 per customer account, compared with "an expenditure of at least $90 per customer account when data is compromised or exposed during a breach." The price of encrypting information has dropped dramatically since then, and the level of protection has increased. The costs of responding to an exposure are as high as ever, however, as TJX is finding.

In a Securities and Exchange Commission filing last week, TJX stated that 19 separate class- action lawsuits have been filed against the company in North America. Also, TJX already has incurred $5 million in costs in responding to the breach. This is only the beginning: 30 states are investigating TJX, as are the Federal Trade Commission and three privacy agencies in Canada. The company is likely to spend a fortune defending itself.

From a customer perspective, the cost to TJX could be even greater. Every time a customer passes a T.J. Maxx or Marshall's, they will be reminded of the headlines, and they may ask themselves if they feel comfortable using their credit cards there.

The incident may impact the overall retail industry, as well. A bill that was introduced in the Massachusetts legislature would require retailers, not banks, to cover the tremendous antifraud- related costs in the event of a breach.

The TJX breach could have been prevented by following established best practices and by using new technologies. Throughout the industry, information security problems have proven to be difficult to solve, but many laws and standards now exist to guide companies on keeping credit card data safe. For instance, the Payment Card Industry's (PCI) Data Security Standard describes what data should be protected and what data should be destroyed when no longer needed.

Companies that accept credit card information must update their systems with new security solutions. These solutions would automatically encrypt information from the moment of creation, such as during a card swipe at a register, and would guarantee persistent protection wherever the information moves or resides. Advanced encryption software is capable of achieving this goal.

As TJX is learning the hard way, the time to update security systems is now. The tools exist to prevent massive breaches of personal information. For the good of consumers, banks, and the retailers themselves, all retailers should embrace more comprehensive information security.