Security Breach Costs TJX Surprisingly Little


Why am I not surprised the TJX customers have returned to the TJMaxx and Marshall's, waving their credit cards and freely giving cashiers their zip codes and phone numbers?

It's probably the same reason why the NFL reinstated Ricky Williams after his drug problems, Hollywood quickly forgives celebrity criminal lapses (Lindsey Lohan, Paris Hilton, Robert Downey Jr., to name a few) and voters overlook politicians' transgressions (didn't Joe Biden admit to plagiarism and Barney Frank have a male prostitute operating out of his D.C. home)?

In short, people have short memory spans and, frankly, don't care about what lawyers will call "prior bad act" so long as they get the services they want at a price they can afford. Sure, TJX allowed the compromise of nearly 100 million credit card numbers, which caused a great deal of confusion and trouble for accountholders. Yet, as the Boston Globe reports (http://www.boston.com/business/articles/2007/12/21/for_tjx_a_store_of_consumer_loyalty) TJX customers assume things have been fixed and it's safe to return to the stores.

Some might assume that this is a phenomenon reserved for the traditional brick-and-mortar retailers. Not true. Seven years ago, I was among those reporting on the demise of CD Universe, one of the earliest online music resellers. In 2000, a hacker attempted to extort $100,000 from the service as protection money, or else face the wrath of having 10,000 pilfered credit card numbers exposed. In the end, CD Universe had to admit to the breach and still face the wrath of Discover and American Express who had to reissue thousands of credit cards. CD Universe disappeared into the ether and many presumed it went out of business because it couldn't recover from the reputation hit. We were wrong. CD Universe is alive and well, still selling new CDs, brokering rare copies and trading used discs.

True enough, TJX is paying millions of dollars in fines to banks affected by the security breach, and CD Universe's business did take a severe hit. But they're still standing and, at least in the case of TJX, thriving.

The Ponemon Institute reports the cost of a security breach such as the one suffered by TJX to be $197 per affected record. At that cost, TXJ should be paying out nearly $200 million. But that's supposed to be the remediation costs, not necessarily the actual losses caused by decrease in business. Reputation was always supposed to be the biggest damage, but the TJX experience is disproving that.

If you look back at some of the bigger security breaches of the past few years--Kaiser Permenente, Bank of America, Wells Fargo, ChoicePoint--none of the affected companies have suffered lasting reputational loss to their security breaches.

While the cost of correcting the reasons behind a security breach will likely continue to climb, it's hard to imagine that reputational cost will have any impact, thanks to our short attention spans.

What was I talking about again?

Do you think security breaches leave an indulable market on a company's reputation? Is reputational impact of a security lapse a big deal? Share your thoughts with Larry at lawrence.walsh@ziffdavisenterprise.com.