TJX Adds Again To Its Breach Cost, But It Doesn’t Really Matter

Written by Evan Schuman
April 21st, 2010

With TJX having suffered well more than $47 million in out-of-pocket expenses from its infamous data breach (announced in 2006 but beginning as early as 2003), the $20 billion retailer is preparing to write still more checks. It has now set aside another $23.5 million for additional anticipated breach costs, according to its most recent 10-K statement filed to the SEC.

That money is slated to deal with the chain’s “current estimation of total potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal, ongoing monitoring and other costs and expenses, arising from the Computer Intrusion,” the federal filing said.

Of course, just because it has set the money aside doesn’t mean TJX will necessarily spend it. The chain proved that last year when it under-spent its breach allocation by almost $31 million.

TJX has for years been the Poster Child for retail data breach. And to date, it is also the best example of how little material impact these breaches have. Please don’t get us wrong. Even for a $20 billion chain, $50 million (and potentially many millions more) still stings.

But sting is about as bad as it gets. The chain’s economic fundamentals—revenue, profit, cash on hand and stock price—remain rock-solid. Nor have they ever even been slightly disrupted by the breach fallout. As long as that’s true, these settlements are viewed as mere costs of doing business, which they are.

Three issues are in play here:

  • The current civil court rules that equate no out-of-pocket consumer loss with no consumer harm.
  • The absence of legal requirements to protect data
  • The cost of delivering true security (beyond mere PCI compliance) versus the cost of being breached

The litigation cropping out of these breaches falls within civil court jurisdiction. Civil courts really have only one purpose: to make consumers or businesses “whole.” This goal means the court wants to put affected parties in the place they would have been had the bad action never happened.

One of the unintended consequences of the brands’ zero-liability programs is that consumers can never lose money from a credit card breach. In court, therefore, consumer data breach actions quickly fall apart. The banks, assessors and others impacted have a better case. But it’s hard to prove that a card replacement move is absolutely necessary. If it isn’t needed, the courts are hesitant to charge a retailer for that action.

Even if a retailer is proven to be reckless about protecting its data—especially its payment information—the lack of consumer losses pretty much limits what, if anything, a civil court can do.

That brings us to point #2: criminal rules. If there were a requirement (preferably federal) saying retailers that invite customers to give them payment cards have a legal obligation to protect the data associated with those cards, things would change radically—and quickly. That would be especially true if a violation of this law is classified as a felony. In federal criminal court, the retailer would have to prove that it acted responsibly in protecting card data.

Given that there are no current viable efforts to do either of these things, we need to add both to the huge list of things we’d love to see made into law but never will be. (Our favorite is changing the tax code to factor in the cost of living of the taxpayer’s primary residence Zip Code. Far too logical a move to ever be enacted.)

This brings us to the last point. Retail IT maestros have this impossible task: arguing to the CEO and the board about financing security efforts that are simultaneously beyond the minimum PCI requirements and cost more than the chain would have to pay if it actually got breached.

The only reason insurers ever sell flood insurance is because the most expensive flood insurance program still costs a lot less than the damage from a single major flood. Retail translation: Good security is expensive, and the cost of getting cyber-thieved—with today’s court system—is decidedly less so.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.