TJX Adds Again To Its Breach Cost, But It Doesn't Really Matter

With TJX having suffered well more than $47 million in out-of-pocket expenses from its infamous data breach (announced in 2006 but beginning as early as 2003), the $20 billion retailer is preparing to write still more checks. It has now set aside another $23.5 million for additional anticipated breach costs, according to its most recent 10-K statement filed to the SEC.

That money is slated to deal with the chain's "current estimation of total potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal, ongoing monitoring and other costs and expenses, arising from the Computer Intrusion," the federal filing said.

Of course, just because it has set the money aside doesn't mean TJX will necessarily spend it. The chain proved that last year when it under-spent its breach allocation by almost $31 million.

TJX has for years been the Poster Child for retail data breach. And to date, it is also the best example of how little material impact these breaches have. Please don't get us wrong. Even for a $20 billion chain, $50 million (and potentially many millions more) still stings.

But sting is about as bad as it gets. The chain's economic fundamentals—revenue, profit, cash on hand and stock price—remain rock-solid. Nor have they ever even been slightly disrupted by the breach fallout. As long as that's true, these settlements are viewed as mere costs of doing business, which they are.

Three issues are in play here:

  • The current civil court rules that equate no out-of-pocket consumer loss with no consumer harm.
  • The absence of legal requirements to protect data
  • The cost of delivering true security (beyond mere PCI compliance) versus the cost of being breached

The litigation cropping out of these breaches falls within civil court jurisdiction. Civil courts really have only one purpose: to make consumers or businesses "whole." This goal means the court wants to put affected parties in the place they would have been had the bad action never happened.

One of the unintended consequences of the brands' zero-liability programs is that consumers can never lose money from a credit card breach. In court, therefore, consumer data breach actions quickly fall apart. The banks, assessors and others impacted have a better case. But it's hard to prove that a card replacement move is absolutely necessary. If it isn't needed, the courts are hesitant to charge a retailer for that action.

Even if a retailer is proven to be reckless about protecting its data—especially its payment information—the lack of consumer losses pretty much limits what, if anything, a civil court can do.

That brings us to point #2: criminal rules. If there were a requirement (preferably federal) saying retailers that invite customers to give them payment cards have a legal obligation to protect the data associated with those cards, things would change radically—and quickly. That would be especially true if a violation of this law is classified as a felony. In federal criminal court, the retailer would have to prove that it acted responsibly in protecting card data.

Given that there are no current viable efforts to do either of these things, we need to add both to the huge list of things we'd love to see made into law but never will be. (Our favorite is changing the tax code to factor in the cost of living of the taxpayer's primary residence Zip Code. Far too logical a move to ever be enacted.)

This brings us to the last point. Retail IT maestros have this impossible task: arguing to the CEO and the board about financing security efforts that are simultaneously beyond the minimum PCI requirements and cost more than the chain would have to pay if it actually got breached.

The only reason insurers ever sell flood insurance is because the most expensive flood insurance program still costs a lot less than the damage from a single major flood. Retail translation: Good security is expensive, and the cost of getting cyber-thieved—with today's court system—is decidedly less so.