May 23, 2007 4:00 AM PDT
Perspective: Who says security breaches are small potatoes?See all Perspectives
- Related Stories
Banks file data breach suit against TJXApril 25, 2007
T.J. Maxx parent company sued in credit card hack probeMarch 21, 2007
ID theft remains top concern for consumersFebruary 7, 2007
AT&T hack exposes 19,000 identitiesAugust 29, 2006
Loan company reports loss of data on 1.3 millionJune 1, 2006
The economic cost of unauthorized computer intrusions is illustrated in the first-quarter earnings report posted by TJX Companies.
By way of background, TJX refers to itself as the leading off-price retailer of apparel and home fashions within the United States and globally. TJX operates 830 T.J. Maxx, 763 Marshalls, 271 HomeGoods, 127 A.J. Wright stores, and 35 Bob's Stores in the United States. TJX also states that it operates 185 Winners and 69 HomeSense stores in Canada, as well as 211 T.K. Maxx stores in Europe.
According to its first-quarter earnings report, TJX suffered unauthorized intrusions into portions of its computer systems that process and store information related to credit card, debit card, and check and "unreceipted" merchandise return transactions that were discovered during the fourth quarter of the prior fiscal year.
TJX has been investigating the intrusions with the assistance of computer security and incident response experts. Management believes customer information was stolen and that this information primarily relates to portions of transactions at its stores (not including Bob's Stores) from 2003 through part of 2004, and from mid- to late 2006.
The financial upshot is that TJX recorded an after-tax charge of approximately $12 million for costs incurred during the first quarter relating to the intrusions. That's in addition to an after-tax charge of approximately $3 million for costs recorded during the prior fourth quarter.
The charges include costs to investigate and contain the intrusions, as well as to strengthen computer security and systems. It also includes costs relating to communications with customers and for technical, legal and other related charges. The company continues to experience ongoing costs related to the intrusions, but still cannot estimate a range or its potential exposure. Such costs and losses, it says, could wind up being material to TJX's results.
Without knowing whether TJX took adequate steps to try to prevent the intrusions before they occurred, there are obvious lessons here. Plainly, companies of all types should want to avoid the costs of investigations, customer communications, and technical, legal and monitoring costs--not to mention potential exposure for related losses--which arise from computer system breaches.
Thus, companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security. Breach prevention bears a cost. But that expense pales in comparison to what a company will spend after a breach takes place. Better to be penny-wise rather than pound-foolish, and companies would be smart on the front-end to take steps that prevent breaches from ever occurring
is a partner in the San Francisco office of . His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to email@example.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
7 commentsJoin the conversation! Add your comment