What that data breach will really cost you

So what will retailer TJX really have to fork over failing to secure a wireless network and letting 45.7 million credit and debit card numbers leak out?

It depends. To follow up on my earlier post and George Ou's assessment I got my paws on the Forrester Research report that seems to be the source for many of these big losses attached to TJX.

As noted earlier, I had my doubts that TJX will see a greater than $1 billion hit. In a research note from April 10, Forrester analyst Khalid Kark outlines the various scenarios. He starts off with a big caveat, which certainly doesn't seem to be passed along in news reports. His disclaimer:

"Trying to determine the cost of a data breach is no easy task. After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number. In reality, there are many different factors that should be part of the data breach cost calculation."

Fair enough and we can rule out a few things in the TJX case already--it hasn't lost customers and its stock has been steady.

Kark goes on to outline all the tools for an educated guess. It's a welcome sight given statistical games being played in the sound bites and pithy quotes. Bottom line: Any number outlining the costs should be taken with a huge grain of salt. To wit: A study of U.S. Department of Justice cases revealed an average loss per data breach incident of $1.5 million. A CSI/FBI survey estimated the cost to be $167,000. Kark also notes that the Ponemon Institute figured the average cost to be $4.8 million per breach. The rub: The Ponemon report is only based on 31 respondents. 

Some key points in the Forrester report:

• Forrester surveyed 28 companies that had data breaches and found only 25 percent were worried about civil penalties and restitution costs. Is something wrong with this picture?
• Kark's best guess is that discovery, response and notification costs after a data breach run $50 a per record.
• Costs and distractions increase as companies focus on public relations more than operations. This is certainly true in many cases. The big question: Is it true in the TJX case? I'm not sensing a huge PR push from the company aside from a customer alert on its home page.
• Fines matter (but not as much as you'd think). Forrester notes that Visa levied fines of $4.6 million for partners that mishandled customer data. ChoicePoint paid $10 million to the Federal Trade Commission. These are big sums, but well off that the tallies being tossed around regarding TJX.
• If you lose customers it's costly to regain them--perhaps more so than the breach expenses.
• High profile cases are more costly. ChoicePoint has set the bar, says Forrester. That fact could mean ugly things for TJX. Will the FTC really fine TJX something huge like $100 million?

And then there's the money shot:

If you tally those items above and apply them to all the TJX records you get big numbers. That's where those lofty figures are coming from regarding TJX costs.