The TJX data breach: Why loss estimates are overblown
George Ou outlines the perils of failing to secure your wireless network via the TJX data breach, but don't expect a massive financial hit from this security lapse.
Ou cites a bevy of estimates regarding TJX's financial hit due to the loss of at least 45.7 million data and credit card numbers. The range for these losses: $1 billion to $4.5 billion. Many assume a cost of $100 per lost record or more.
I'll believe it when I see it.
Thus far, TJX has taken a pre-tax charge of $5 million due to the computer intrusion. According to TJX's annual report this tally "includes costs incurred to investigate and contain the computer intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees."
TJX says it doesn't have enough information to "reasonably estimate losses we may incur." Of course that hasn't stopped folks from guessing at total losses.
Just to be safe TJX has stopped buying back its stock. In the end, TJX's balance sheet is healthier than ever. J.P. Morgan analyst Brian Tunick is projecting TJX's cash position to top $1 billion in 2008 due to better inventory management. TJX ended 2006 with $857 million in cash and is expected to end 2007 with $809 million, according to Tunick's estimates.
The problem with these big loss estimates from analysts and other observers is that they assume a brand hit and customer loss. In this Information Week story, "brand impairment" is cited as part of the reason why TJX could take a $4.5 billion hit due to its data breach.
So far, TJX's brand is just swell. Customers are still shopping--same store sales rose 6 percent in March. That sales tally doesn't exactly jive jibe with a Javelin Strategy & Research study that found three in four consumers will stop shopping a merchant if a data breach occurs. The disconnect: Consumers say they will stop shopping, but in reality they keep coming back if the price is right. Bottom line: If customers didn't abandon TJX at the height of its bad press they aren't leaving now.
Maybe these big loss estimates account for forgone market capitalization. The problem with that assumption: TJX shares are about where they were when the data breach went public.
Or maybe class action lawsuits will add up to big numbers. After all, TJX failed to secure its network for more than a year. "We are vigorously defending the litigation and claims asserted against us," says TJX.
So let's assume TJX gets its tail handed to it in court. TJX spends $50 million on lawyers and winds up settling for $200 million in a worst case scenario after many appeals. Naturally, only the lawyers get anything.
The subtotal thus far is roughly $300 million.
To be sure the consultant fees are going to be huge for TJX so let's factor in another $200 million.
That brings us to $500 million.
But unless postage on those "we're sorry to inform you" letters to customers add up to $500 million it's going to be tough to get to that magical $1 billion loss level everyone is talking about.
Now this whole TJX episode makes some people cringe--they just can't believe that there's not severe pain inflicted when customer data is lost. Certainly George Ou wants to see TJX suffer a bit. But the initial outrage wears off quickly.
Overall, TJX will be seen as a victim--albeit a negligent one. And TJX customers don't get irate because most of them won't take a financial hit. After all, credit card companies eat fraudulent charges in most cases. Of course, identity theft is a risk, but that'll be a small number out of that 45.7 million. These estimates surrounding data breaches just don't add up to the reality.