Bottom line impact of data breaches unclear

Despite dire predictions of massive financial consequences for breached companies, TJX's business has grown in the wake of its data breach

Despite the fact that unwanted exposure of consumer data has become a hot-button issue in the media and among legislators nationwide, experts admit that it remains unclear just how much damage the events will cause to the finances and reputations of companies that experience major incidents.

In the case of TJX Companies -- which admitted a massive data loss in early 2007 involving the personally-identifiable information of over 45.6 million individual consumers -- it appears that the discount retail chain's business has not yet absorbed significant interruptions.

On April 12, Framingham, Mass.-based TJX -- which operates retail chains including T.J. Maxx, Marshalls, and HomeGoods -- reported that sales at its stores increased by 6 percent in March 2007, compared to the same timeframe in 2006.

The performance easily outpaced estimates from industry watchers, including Thomson Financial, which had predicted a 4.6 percent gain in sales at TJX for the month.

That latest report follows earlier news that TJX had experienced increased sales growth of 2 percent in Feb. 2007 and boosted sales by 4 percent in Jan. 2007, compared to the same time frames last year.

On Wall Street, TJX shares also appear to be riding out the controversy without major injury as of April 13 with the company's stock trading at roughly $28, compared to just under $30 at the time the breach was initially reported in January.

The continued performance of TJX bucks the findings of some research that contends that businesses experiencing major data incidents will encounter negative pushback from customers and investors.

TJX said in its most recent filing with the SEC (Securities and Exchange Commission) -- issued on Mar. 28 -- that it has already spent $5 million on recovery efforts related to the attack, and company officials indicated that the firm expects to continue to pay for the mistake.

However, the impact of the data breach -- believed to be the largest such event ever reported -- has not yet taken the sizeable bite out of the retailers' in-store traffic or pocketbook that some reports have predicted it might.

According to a report published this week by Javelin Strategy & Research, a recent survey it conducted of more than 1,200 consumers found that 77 percent said they would discontinue shopping at merchants who suffered major data breaches. Some 85 percent of respondents said they would prefer to reward companies who avoid major incidents by giving them more of their business.

Mary Monahan, the Javelin analyst who authored the report, admitted that the TJX scenario points to discrepancies between what consumers are saying publicly and the statements they appear to be making with their spending habits.

"It's true the impact doesn't appear to be there yet. Consumers are promising to punish merchants who are lax with security on one hand, but it appears that they can't deliver on those promises because they can't differentiate who it is that's doing a better job of protecting their data," Monahan said.

Business and security analysts, along with lawmakers and privacy watchdogs are generating a good deal of publicity, the analyst said, but the issue has not permeated most consumers' worlds to the extent that it has changed their buying patterns.

In addition to few resources with which to determine just which companies are doing a better job of securing personal data, many consumers do not know the difference between data breaches and related data fraud, she said.

And while conventional wisdom might deduce that such confusion would cause consumers to be even more wary of companies who have significant data incidents, Monahan said the lack of understanding may make people less sensitive to the reports in general.

For instance, consumers in states like California that have more stringent data breach disclosure laws may already be getting so many notifications of potential information exposure that it has already become and accepted norm in going about their lives in the digital age.

Adding to the lack of reaction against companies that experience data incidents is the fact that for every 1000 records that are lost or stolen via the events, there are only 8 instances of actual fraud, according to Javelin.

One of the first research companies to create metrics that attempt to track the financial impact of data breaches is the Ponemon Institute, which is headquartered in Elk Rapids, Mich.

According to a report issued by Ponemon in Oct. 2006, data losses cost U.S. companies an average of $182 per compromised record in 2006, compared to an average loss of $138 per record in 2005, for an increase of about 31 percent. 

The report, based on interviews conducted with 56 individual companies known to have experienced a data incident in the previous year, also maintains that roughly $128 of the 2006 figure is related to indirect fallout from information leaks, such as higher-than-normal customer turnover.

Other expenses highlighted in the report include an average price tag of $660,000 per company in expenses related to notifying customers of a breach affecting their data, along with informing business partners and regulators. Ponemon contends that each company surveyed sacrificed roughly $2.5 million in lost business based on their incidents.

Company Founder and Chairman Larry Ponemon said that the muted reaction to the TJX incident illustrates that consumers will respond differently to individual breaches based on the events' parameters. The sheer scale of the TJX breach, and the fact that the company is a retailer, have a palpable affect on the manner in which people have reacted to the data catastrophe, he said.

"Consumers expectations for privacy and security are far lower for retailers and other merchants than they are for banks or health care providers, and because so many records were involved with TJX, people may assume there's a much smaller chance of having their identity stolen," Ponemon said. "There also appears to be a growing perception that if the event was the result of criminal activity, rather than negligence, as with the TJX attacks, people are willing to give the company a bit more leeway in terms of forgiveness."

The researcher said that people are far more likely to change business with a bank or financial services provider who has a smaller breach that affects their data than with such a large incident at a retailer.

However, banks that are carving out reputations as particularly strong protectors of customer data are gaining more customers, he said, including well-known firms such as Bank of America and Wachovia.

With retailers, many consumers may shop at the same stores and merely use checks or cash to pay for their purchases to limit exposure, he said.

Analysts at Cambridge, Mass.-based Forrester Research published a report on April 10 that proposed that TJX's breach could eventually cost the company as much as $1.35 billion in combined expenses and lost business. 

Forrester's number comes from that firm's estimate of a cost per lost record of $90 and an estimate that around 15 million of the 45 million stolen credit records involved in the incident were for unexpired debit and credit cards.

For its part, Ponemon estimates that the cost to replace stolen records is a lot higher -- $182 per card -- but it also said that no company that has experienced a data loss has spent more than $22 million to recover from it.

At the end of the day, it's still difficult to tie breaches to specific financial repercussions beyond what companies spend on notifying their customers and setting up credit monitoring services for those affected by information losses, said Khalid Kark, the Forrester analyst who wrote the report.

"The perception is that people are concerned, but the reality is that it is very hard to change habits. They might tell you they will change their spending behavior, but when it comes down to real life, that's a different circumstance," Kark said. "Consumers have very short memories and may not actually punish a brand in the long-term if the company appears to get the right protections in place."

Shareholders would seem to be even less put-off by data incidents as long as companies appear to be making the right moves to reassure customers and improve security in response to breaches, the analyst said.

"We're already hearing investors in TJX saying that they have confidence that management is doing the right things," Kark said. "You can argue that stock price is a combined indicator of people's confidence in a company, and even when the stock price is influenced by something like this, in most cases it doesn't appear to have a long-term affect."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform