The Meaning Of TJX's $168 Million Data Breach Cost

When the $17 billion retailer reported that pre-tax $168 million possible hit for its data breach, did it see it as anything more than a cost of doing business? And a minor cost at that?

With all of the numbers that TJX issued in its Tuesday earnings statement, the one that has generated the most attention was a $168 million estimated hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.

The numbers were sliced and diced many ways. There was about $118 million in after-tax costs taken in the most recent quarter alone, plus $21 million projected as a possible hit for next year on top of $29 million already reported in prior quarters. The Boston Globe quoted a TJX official saying that the $118 million quarterly after-tax figure was about $196 million pre-tax and that the $21 million for next year was about $35 million pretax. A chart issued by TJX gives a six-month data breach cost of $215.9 million, without explanation.

But a closer look at those numbers suggests both a more dire and a more optimistic perspective.

First, the optimistic side. TJX did not, in fact, say that it actually has spent?or necessarily will spend?anything more than a tiny fraction of those dollars. The overwhelmingly largest charge?a $107 million after-tax figure for the chain's second 2008 fiscal quarter?was merely a "reserve," a nestegg for what TJX fears its costs may be. Theoretically, its costs might be much lower.

Continuing on the optimistic side, those costs are not causing severe financial strain on the $17 billion retail giant, especially given the fact that it's revenue is still soaring, meaning that consumers have strongly embraced TJX and their retail choices are presumably not being impacted by the breach. For the six months ending July 28, 2007, the chain reported $8.4 billion in revenue, which is an almost 8 percent increase from the $7.8 billion it reported for the prior year's identical quarter.

Are these figures merely the cost of doing business and an acceptable cost at that? To get a sense of that, it's important to drill down into what these numbers truly represent.

TJX's official word on their cash reserve need is that it represents TJX's "estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal and other costs and expenses, arising from the intrusion."

Given the cost of updating security systems for a chain this large as well as legal fees for merely dealing with the many civil lawsuits that arose from the breach's disclosure, those are not particularly large figures. Indeed, it's hard to argue that the estimates assume TJX will face relatively small jury awards, assuming any of this litigation ever gets to a jury.

What does all of this mean for retailers trying to decide the cost of being breached? On the plus side, TJX thinks that it will do well in most?if not all?of its litigation defenses, including costs to be associated with an expected settlement with dozens of state Attorneys General.

On the negative side, that's quite a high pricetag for a company that may ultimately be proven to have done no wrong. Please note the emphasis on proven, to avoid angry E-mails from readers who confuse what's provably wrong with what is actually wrong. Provably wrong involves what damages can be proven at trial and can be reasonably blamed on TJX. Will juries and judges view TJX as a victim of brilliant cyber thieves or as a massive company that cut corners and was reckless with consumer private information? TJX seems to be betting with the former.

Another critical consideration at trial would be whether TJX's security operations were managed within the norms of that industry segment. Did it perform its security within the customs of large retail IT shops?

In short, courts and juries typically wouldn't hold TJX accountable for it's security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as lax?or, for that matter, strict?as TJX, they're likely to emerge unscathed.

A big open question is how how bad TJX's IT security procedures will look when full light is shed. Today, there is a relatively little known about how the data breaches happened. There have been numerous media reports about various ways the breach might have started, including a wireless attack and hot-wiring USB drives in the back of non-firewall-protected in-store job-application kiosks.

But TJX has confirmed none of it and some attorneys involved in the TJX litigation express doubt whether even TJX knows for certain how it began. They know?to a limited extent?what was taken and they found various security holes after the fact, but establishing which hole was necessarily used in a specific attack is much more complex. Given that TJX has reported the breaches occurred over multiple years, pinpointing a precise initial cause?assuming there even was one specific cause?is not easy.

Getting back to the data breach costs, these figures represent a huge cost for a company that may skate on many of the civil accusations. If that's the cost of winning, what will the cost look like if it starts to lose?

Another consideration is how applicable the TJX costs are for other retailers. The way TJX is corporately branded may be dramatically lowering their costs.

The media headlines?and those headlines have been much more numerous in the business and trade press than in the consumer press?have all focused on TJX. Many customers may indeed be wary of giving their credit cards to TJX, but don't realize that Marshalls, HomeGoods, A.J. Wright, Bob's Stores, Winners and Homesense are all part of the chain. Even the brands closest to the parent company's name?T.J. Maxx and T.K. Maxx?are not dead-ringers for TJX.

If this kind of a breach hit Wal-Mart, Rite-Aid, CircuitCity or the vast majority of other major retail chains that brand all of their stores with the corporate name, that consumer confusion wouldn't help.

Mark Rasch, the former head of the U.S. Justice Department's high-tech crimes group and today an attorney specializing in retail security, said it's hard for a retailer to walk away from the TJX incident and not be shaken.

"Right now, the bulk of the losses are due to the investigation, locking down their system, preventing it from happening in the future and litigating the cases," he said. "That's millions of dollars in losses before a single judgment is entered or made. Even if they win all of their cases, they are going to have to pay a lot."

Steve Rowen, a security analyst with Retail Systems Research, sees an uncertain TJX future, but said that the chain's customers hold much clout and, thus far, those consumers haven't been moved very much.

"What we?ve really confirmed from the TJX breach is that customers blame criminals, not retailers. Therefore, TJ Maxx, Marshall?s and virtually all off-price retailers are still full of customers. In fact, the parking lots were full in the days immediately following the breach announcement. I checked," Rowen said. "But that simply does not mitigate in any way the cost of such an event. Bank-driven class actions are yet to be determined. FTC fines are yet to be determined. This will be the first case where the retailer gets handed the bill and that?s why every other retailer should be scrambling to become compliant."

Many are positioning this as an argument about retail security and whether TJX's less-than-stringent security execution?assuming it turns out to be less than stringent?will cause them financial hardship. But in quite a few ways, the TJX outcome may have less to do with retail IT security and more to do with the legal system in the U.S..

The retailer's 9-figure exposure is not based on their losing legal actions or facing huge fines. That may indeed happen, but the figures are based on the assumption that most fines will be small and court awards will be trivial. These costs are the costs that any deep-pocketed retailer must pay to defend itself against the litigation and various investigations.

If TJX ultimately proves to have been reckless, then these fees may have a basis. But if in the final analysis, TJX is found to have done little wrong that most other similarly-sized retailers weren't doing and it still is paying out more than $100 million, there is something very wrong with the system.