On the alleged “costs” of breaches

By , February 20, 2007 5:59 pm

Behavioral psychology at its simplest would suggest that if you want to discourage or reduce sloppy data protection on the part of businesses, there should be consequences that serve as a deterrent or as a punisher for slipshod data protection practices. And indeed, some articles have talked about the “costs” of data breaches as if the costs should be sufficient to act as a deterrent.

But are these “costs” really expensive enough to serve as a meaningful deterrent or punisher? What do we make of the fact that TJX had a breach that had the potential to affect perhaps 40 million individuals, and yet… and yet…. their stock just hit a 52-week high? From the Houston Chronicle‘s earnings preview for TJX today:

[…]

The company suffered a security breach during the quarter when a computer hacker gained access to its computer system and stole transaction histories. TJX will take a related charge in the fourth quarter of at least a penny per share.

[…]

Currie, who rates TJX “Neutral,” said he doesn’t expect the company to comment on the security breach as the investigation is still ongoing.

[…]

STOCK PERFORMANCE: Shares rose nearly 2 percent over the quarter and are up 23 percent for the year. The stock hit a 52-week high of $30.24 on Jan. 24. In midday trading, shares were up 15 cents to $28.62 on the NYSE.

OK, now I’m no more a stock analyst than I am a security analyst or a psychoanalyst, but if a penny a share might cover their losses and if their stock hit a one year-high after they announced a huge breach and after media reports that at least 30 states are investigating them, well….

Where is the financial “punishment” that will deter them from further breaches? Is the punishment that they make less of a profit than they would have? Sorry, but these figures don’t suggest that they will take enough of a ‘hit’ for it to make a serious dent in the way they do business. Maybe if 30 states each hit TJX with a huge fine, but even then….

As much as I believe in “natural consequences” as opposed to artificial punishments, it’s not clear that “natural consequences” apply here, unless the credit card companies stop dealing with retailers that do not adhere to industry standards on security. Or maybe someone reading this has a better idea?

Updated 2-25-07: Over at Emergent Chaos, Adam posted some links to articles on the TJX breach. One of them is a piece on RiskAnalys.is that reports that TJX claims that they

“suffered $5 million in losses due to the incident (2.4% of PROFIT, dang). You and I know that because of accounting rules, TJX actually has incentive to exaggerate that loss. This is one of those rare cases of positive impact of an incident – companies can impact taxes for a profitable quarter by throwing money at various incident related expenses. I mean, they were going to have to go through all the “compliance” rigamoral anyway, why not wait until they absolutelty HAVE to spend the cash (i.e. when there’s an incident).”

If Alex is correct in his figures, then he is suggesting that TJX didn’t even suffer $5 million in “losses.” And — on the principle of not counting chickens before eggs are hatched — since they are not true “losses” but rather “less profit than they might have made otherwise,” so far it appears that we really are talking about a relatively piddling amount in the grand scheme of things. Maybe when all the legal fees kick in to deal with so many state investigations, they’ll feel a bit more pain. One can only hope.

2 Responses to “On the alleged “costs” of breaches”

  1. Alex says:

    Hi, IIRC the $5 million was a published number from their quarterly report.

    I’ve had some fairly trustworthy anecdotal (but still anecdotal) reports in a pretty similar incident that suggests that these numbers are over-stated for the purpose of accounting tricks. I think we can expect the number to grow over the next 3 quarters, as well.

    Note that if TJX follows the path that other retailers with similar incidents will take, then they will spend plenty on control measures, some on consulting (to create the due diligence paper trail) and then NOT change corporate culture at all. Let’s hope they’re different, but from the sound of their PR, I doubt it.

  2. dissent says:

    Thanks, Alex. After the VA breach, there was some falling-on-sword behavior. With the Hewlett Packard pretexting scandal, ditto. I don’t expect to see anyone falling on their sword at TJX. Nor do I expect significant changes/improvements in their security practices. Color me “jaded,” but both the scenarios you discuss in your blog do have one common theme, i.e., don’t try to take money away from business. Don’t penalize them if they foul up, and penalize those who try to deprive them of their royalties. The laws simply do not protect the individual or the individual’s privacy.

Panorama Theme by Themocracy