Evan Schuman's StorefrontBacktalk

There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing.

Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers. I’m going to try and avoid using modern-day chains to illustrate good and evil. Regrettably, I think it’s a safe bet that I am about two sentences away from failing that effort.

Let’s take TJX as an example. (Only one sentence. I was close, though.) Based on various SEC filings and court documents, it’s clear that TJX engaged in a wide range of security procedures that were, to be charitable, less than diligent.

But, as we’ve pointed out many times, the millions in expenses that TJX has had to spend had absolutely nothing to do with any alleged security sloppiness. Indeed, TJX won the overwhelming majority of court decisions and the settlements with both its consumer and bank class action efforts were stunningly favorable to TJX.

It’s legitimate to say that all of the costs TJX had to endure were the cost of doing business and they almost all went to paying lawyers, contacting consumers and handling monitoring and related activities. Oh, and paying for analysts and forensic investigators and upgrading security.

The key point is that TJX’s pain was not because of any supposed sloppy security practices. TJX shrewdly sidestepped and sealed those issues, focusing on the lack of financial losses suffered by the plaintiffs.

In other words, they paid because they were breached. There certainly was ample evidence that bad procedures were followed, but things never progressed to that point. No jury was ever empanelled. No trial ever happened. Therefore, none of the money was because of they handled their security.

Now let’s fast-forward to today. We’re seeing bits and pieces of information that suggest that Hannaford was breached in an unanticipated manner and that Hannaford, as far as we can tell thus far, did everything it could have been expected to do.

Here’s the irony: Given the fact that the court system racks up charges regardless of how security was handled, a properly-secured retailer could face similar costs to a poorly-secured one. (The larger the breach, the higher the costs, to a certain extent.)

But if the well-secured retailer happens to be smaller then the poorly-secured one (as is the case with Hannaford being a fraction of the size of TJX), it’s quite possible that the legal costs could be more painful for the smaller retailer that did everything properly. Let that sink in for a moment.

A retailer that had slipshod security (Maybe we should call them Breach Bums? Maybe not) will be spared. Many reasons for this, including the fact that zero-liability credit card programs take the pain away from consumers. As long as consumers don’t lose any hard cash, they can’t show damages and their claims eventually go away before a trial.

What message does this give to retailers that want to do the right thing and be secure? More importantly, what message does it give to cyber thieves?