The Meaning Of TJXs $168 Million Data Breach Cost

By Evan Schuman  |  Posted 2007-08-15

The Meaning Of TJXs $168 Million Data Breach Cost

With all the numbers that TJX Companies issued in its Aug. 14 earnings statement, the one that has generated the most attention was an estimated $168 million hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.

The numbers were sliced and diced many ways. About $118 million in after-tax costs taken in the most recent quarter alone, plus $21 million projected as a possible hit for next year on top of $29 million already reported in prior quarters. The Boston Globe quoted a TJX official saying that the $118 million quarterly after-tax figure was about $196 million pretax and that the $21 million for next year was about $35 million pretax. A chart issued by TJX gives a six-month data breach cost of $215.9 million, without explanation.

But a closer look at those numbers suggests both a more dire and a more optimistic perspective.

First, the optimistic side. TJX officials did not, in fact, say that they actually have spent—or necessarily will spend—anything more than a tiny fraction of those dollars. The overwhelmingly largest charge—a $107 million after-tax figure for the chains second 2008 fiscal quarter—was merely a "reserve," a nest egg for what TJX fears its costs may be. Theoretically, its costs might be much lower.

Read more here about the lawsuit filed against TJX in response to the data breach.

Continuing on the optimistic side, those costs are not causing severe financial strain on the $17 billion retail giant, especially given that its revenue is still soaring, meaning that consumers have strongly embraced TJX and are presumably not being impacted by the breach. For the six months ending July 28, the Framingham, Mass., chain reported $8.4 billion in revenue, an almost 8 percent increase from the $7.8 billion it reported for the prior years identical quarter.

Are these figures merely the cost of doing business and an acceptable cost at that? To get a sense of that, its important to drill down into what these numbers truly represent.

TJXs official word on its cash reserve need is that it represents TJXs "estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims as well as legal and other costs and expenses, arising from the intrusion."

Given the cost of updating security systems for a chain this large as well as legal fees for merely dealing with the many civil lawsuits that arose from the breachs disclosure, those are not particularly large figures. Indeed, its hard to argue that the estimates assume TJX will face relatively small jury awards, assuming any of this litigation ever gets to a jury.

What does all this mean for retailers trying to decide the cost of being breached? On the plus side, TJX officials think they will do well in most—if not all—of their litigation defenses, including costs to be associated with an expected settlement with dozens of state attorney generals.

On the negative side, thats quite a high price tag for a company that may ultimately be proven to have done no wrong. Please note the emphasis on "proven," to avoid angry e-mails from readers who confuse whats provably wrong with what is actually wrong. Provably wrong involves what damages can be proven at trial and can be reasonably blamed on TJX. Will juries and judges view TJX as a victim of brilliant cyber thieves or as a massive company that cut corners and was reckless with consumer private information? TJX seems to be betting on the former.

Page 2: The Meaning Of TJXs $168 Million Data Breach Cost

The Meaning Of TJXs

$168 Million Data Breach Cost">

Another critical consideration at trial would be whether TJXs security operations were managed within the norms of that industry segment. Did it perform its security within the customs of large retail IT shops?

In short, courts and juries typically wouldnt hold TJX accountable for its security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as lax—or, for that matter, strict—as TJX, theyre likely to emerge unscathed.

A big open question is how bad TJXs IT security procedures will look when full light is shed. Today, there is a relatively little known about how the data breaches happened. There have been numerous media reports about various ways the breach might have started, including a wireless attack and hot-wiring USB drives in the back of non-firewall-protected in-store job application kiosks.

But TJX has confirmed none of it, and some attorneys involved in the TJX litigation express doubt whether even TJX officials know for certain how it began. They know—to a limited extent—what was taken, and they found various security holes after the fact, but establishing which hole was necessarily used in a specific attack is much more complex. Given that TJX has reported the breaches occurred over multiple years, pinpointing a precise initial cause—assuming there even was one specific cause—is not easy.

To read about where the lost TJX data resurfaced, click here.

Getting back to the data breach costs, these figures represent a huge cost for a company that may skate on many of the civil accusations. If thats the cost of winning, what will the cost look like if it starts to lose?

Another consideration is how applicable the TJX costs are for other retailers. The way TJX is corporately branded may be dramatically lowering their costs.

The media headlines—and those headlines have been much more numerous in the business and trade press than in the consumer press—have all focused on TJX. Many customers may indeed be wary of giving their credit cards to TJX but dont realize that Marshalls, HomeGoods, A.J. Wright, Bobs Stores, Winners and Homesense are all part of chain. Even the brands closest to the parent companys name—T.J. Maxx and T.K. Maxx—are not dead-ringers for TJX.

If this kind of a breach hit Wal-Mart, Rite-Aid, Circuit City or the vast majority of other major retail chains that brand all their stores with the corporate name, that consumer confusion wouldnt help.

Mark Rasch, former head of the U.S. Justice Departments high-tech crimes group and currently an attorney specializing in retail security, said its hard for a retailer to walk away from the TJX incident and not be shaken.

"Right now, the bulk of the losses are due to the investigation, locking down their system, preventing it from happening in the future and litigating the cases," he said. "Thats millions of dollars in losses before a single judgment is entered or made. Even if they win all of their cases, they are going to have to pay a lot."

Steve Rowen, a security analyst with Retail Systems Research, said he sees an uncertain TJX future but said the chains customers hold much clout and, thus far, those consumers havent been moved very much.

"What weve really confirmed from the TJX breach is that customers blame criminals, not retailers. Therefore, TJ Maxx, Marshalls, and virtually all off-price retailers are still full of customers. In fact, the parking lots were full in the days immediately following the breach announcement. I checked," Rowen said. "But that simply does not mitigate in any way the cost of such an event. Bank-driven class actions are yet to be determined. [Federal Trade Commission] fines are yet to be determined. This will be the first case where the retailer gets handed the bill, and thats why every other retailer should be scrambling to become compliant." Many are positioning this as an argument about retail security and whether TJXs less-than-stringent security execution—assuming it turns out to be less than stringent—will cause them financial hardship. But in quite a few ways, the TJX outcome may have less to do with retail IT security and more to do with the legal system in the U.S.

The retailers nine-figure exposure is not based on their losing legal actions or the company facing huge fines. Those things may indeed happen, but the figures are based on the assumption that most of the fines will be small and that the court awards will be trivial. These costs are the costs that any deep-pocketed retailer must pay to defend itself against the litigation and various investigations.

If TJX ultimately proves to have been reckless, then these fees may have a basis. But if, in the final analysis, TJX is found to have done little that most other similarly-sized retailers werent doing and it still is paying out more than $100 million, there is something very wrong with the system.

Editors Note: This story was updated to include additional information about the potential outcome for TJX.

Retail Center Editor Evan Schuman can be reached at

Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

Rocket Fuel