Data Breach Miscalculations: TJX's Customers Aren't Leaving

George Ou outlines the perils of failing to secure your wireless network via the TJX (TJX) data breach, but don't expect a massive financial hit from this security lapse.

Ou cites a bevy of estimates regarding TJX's financial hit due to the loss of at least 45.7 million data and credit card numbers. The range for these losses: $1 billion to $4.5 billion. Many assume a cost of $100 per lost record or more.

I'll believe it when I see it.

Thus far, TJX has taken a pre-tax charge of $5 million due to the computer intrusion. According to TJX's annual report this tally "includes costs incurred to investigate and contain the computer intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees."

TJX says it doesn't have enough information to "reasonably estimate losses we may incur." Of course that hasn't stopped folks from guessing at total losses.

Just to be safe TJX has stopped buying back its stock. In the end, TJX's balance sheet is healthier than ever. J.P. Morgan analyst Brian Tunick is projecting TJX's cash position to top $1 billion in 2008 due to better inventory management. TJX ended 2006 with $857 million in cash and is expected to end 2007 with $809 million, according to Tunick's estimates.

The problem with these big loss estimates from analysts and other observers is that they assume a brand hit and customer loss. In this Information Week story, "brand impairment" is cited as part of the reason why TJX could take a $4.5 billion hit due to its data breach.

So far, TJX's brand is just swell. Customers are still shopping–same store sales rose 6 percent in March. That sales tally doesn't exactly jibe with a Javelin Strategy & Research study that found three in four consumers will stop shopping a merchant if a data breach occurs. The disconnect: Consumers say they will stop shopping, but in reality they keep coming back if the price is right. Bottom line: If customers didn't abandon TJX at the height of its bad press they aren't leaving now.

Maybe these big loss estimates account for forgone market capitalization. The problem with that assumption: TJX shares are about where they were when the data breach went public.

Or maybe class action lawsuits will add up to big numbers. After all, TJX failed to secure its network for more than a year. "We are vigorously defending the litigation and claims asserted against us," says TJX.

So let's assume TJX gets its tail handed to it in court. TJX spends $50 million on lawyers and winds up settling for $200 million in a worst case scenario after many appeals. Naturally, only the lawyers get anything.

The subtotal thus far is roughly $300 million. To be sure the consultant fees are going to be huge for TJX so let's factor in another $200 million. That brings us to $500 million. But unless postage on those "we're sorry to inform you" letters to customers add up to $500 million it's going to be tough to get to that magical $1 billion loss level everyone is talking about.

Now this whole TJX episode makes some people cringe–they just can't believe that there's not severe pain inflicted when customer data is lost. Certainly George Ou wants to see TJX suffer a bit. But the initial outrage wears off quickly.

Overall, TJX will be seen as a victim–albeit a negligent one. And TJX customers don't get irate because most of them won't take a financial hit. After all, credit card companies eat fraudulent charges in most cases. Of course, identity theft is a risk, but that'll be a small number out of that 45.7 million. These estimates surrounding data breaches just don't add up to the reality.

UPDATE:

To follow up on my earlier post and George Ou's assessment I got my paws on the Forrester Research report that seems to be the source for many of these big losses attached to TJX.

As noted earlier, I had my doubts that TJX will see a greater than $1 billion hit. In a research note from April 10, Forrester analyst Khalid Kark outlines the various scenarios. He starts off with a big caveat, which certainly doesn't seem to be passed along in news reports. His disclaimer:

"Trying to determine the cost of a data breach is no easy task. After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number. In reality, there are many different factors that should be part of the data breach cost calculation."

Fair enough and we can rule out a few things in the TJX case already–it hasn't lost customers and its stock has been steady.

Kark goes on to outline all the tools for an educated guess. It's a welcome sight given statistical games being played in the sound bites and pithy quotes. Bottom line: Any number outlining the costs should be taken with a huge grain of salt. To wit: A study of U.S. Department of Justice cases revealed an average loss per data breach incident of $1.5 million. A CSI/FBI survey estimated the cost to be $167,000. Kark also notes that the Ponemon Institute figured the average cost to be $4.8 million per breach. The rub: The Ponemon report is only based on 31 respondents. 

Some key points in the Forrester report:

• Forrester surveyed 28 companies that had data breaches and found only 25 percent were worried about civil penalties and restitution costs. Is something wrong with this picture?
• Kark's best guess is that discovery, response and notification costs after a data breach run $50 per record.
• Costs and distractions increase as companies focus on public relations more than operations. This is certainly true in many cases. The big question: Is it true in the TJX case? I'm not sensing a huge PR push from the company aside from a customer alert on its home page.
• Fines matter (but not as much as you'd think). Forrester notes that Visa levied fines of $4.6 million for partners that mishandled customer data. ChoicePoint paid $10 million to the Federal Trade Commission. These are big sums, but well off that the tallies being tossed around regarding TJX.
• If you lose customers it's costly to regain them–perhaps more so than the breach expenses.
• High profile cases are more costly. ChoicePoint (CPS) has set the bar, says Forrester. That fact could mean ugly things for TJX. Will the FTC really fine TJX something huge like $100 million?

And then there's the money shot:

If you tally those items above and apply them to all the TJX records you get big numbers. That's where those lofty figures are coming from regarding TJX costs.