The Meaning Of TJXs
$168 Million Data Breach Cost"> Another critical consideration at trial would be whether TJXs security operations were managed within the norms of that industry segment. Did it perform its security within the customs of large retail IT shops? In short, courts and juries typically wouldnt hold TJX accountable for its security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as laxor, for that matter, strictas TJX, theyre likely to emerge unscathed.But TJX has confirmed none of it, and some attorneys involved in the TJX litigation express doubt whether even TJX officials know for certain how it began. They know—to a limited extent—what was taken, and they found various security holes after the fact, but establishing which hole was necessarily used in a specific attack is much more complex. Given that TJX has reported the breaches occurred over multiple years, pinpointing a precise initial cause—assuming there even was one specific cause—is not easy. To read about where the lost TJX data resurfaced, click here. Getting back to the data breach costs, these figures represent a huge cost for a company that may skate on many of the civil accusations. If thats the cost of winning, what will the cost look like if it starts to lose? Another consideration is how applicable the TJX costs are for other retailers. The way TJX is corporately branded may be dramatically lowering their costs. The media headlines—and those headlines have been much more numerous in the business and trade press than in the consumer press—have all focused on TJX. Many customers may indeed be wary of giving their credit cards to TJX but dont realize that Marshalls, HomeGoods, A.J. Wright, Bobs Stores, Winners and Homesense are all part of chain. Even the brands closest to the parent companys name—T.J. Maxx and T.K. Maxx—are not dead-ringers for TJX. If this kind of a breach hit Wal-Mart, Rite-Aid, Circuit City or the vast majority of other major retail chains that brand all their stores with the corporate name, that consumer confusion wouldnt help. Mark Rasch, former head of the U.S. Justice Departments high-tech crimes group and currently an attorney specializing in retail security, said its hard for a retailer to walk away from the TJX incident and not be shaken. "Right now, the bulk of the losses are due to the investigation, locking down their system, preventing it from happening in the future and litigating the cases," he said. "Thats millions of dollars in losses before a single judgment is entered or made. Even if they win all of their cases, they are going to have to pay a lot." Steve Rowen, a security analyst with Retail Systems Research, said he sees an uncertain TJX future but said the chains customers hold much clout and, thus far, those consumers havent been moved very much. "What weve really confirmed from the TJX breach is that customers blame criminals, not retailers. Therefore, TJ Maxx, Marshalls, and virtually all off-price retailers are still full of customers. In fact, the parking lots were full in the days immediately following the breach announcement. I checked," Rowen said. "But that simply does not mitigate in any way the cost of such an event. Bank-driven class actions are yet to be determined. [Federal Trade Commission] fines are yet to be determined. This will be the first case where the retailer gets handed the bill, and thats why every other retailer should be scrambling to become compliant." Many are positioning this as an argument about retail security and whether TJXs less-than-stringent security executionassuming it turns out to be less than stringentwill cause them financial hardship. But in quite a few ways, the TJX outcome may have less to do with retail IT security and more to do with the legal system in the U.S. The retailers nine-figure exposure is not based on their losing legal actions or the company facing huge fines. Those things may indeed happen, but the figures are based on the assumption that most of the fines will be small and that the court awards will be trivial. These costs are the costs that any deep-pocketed retailer must pay to defend itself against the litigation and various investigations. If TJX ultimately proves to have been reckless, then these fees may have a basis. But if, in the final analysis, TJX is found to have done little that most other similarly-sized retailers werent doing and it still is paying out more than $100 million, there is something very wrong with the system. Editors Note: This story was updated to include additional information about the potential outcome for TJX. Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
A big open question is how bad TJXs IT security procedures will look when full light is shed. Today, there is a relatively little known about how the data breaches happened. There have been numerous media reports about various ways the breach might have started, including a wireless attack and hot-wiring USB drives in the back of non-firewall-protected in-store job application kiosks.