What’s the cost of a data breach? According to the latest news, nothing lower than a cool $10 million if the information security breach approaches TJX-like scales. If you’ll recall, TJX had a massive breach of customer credit-card information nearly 3 years ago. The entire thing stemmed from the fact that their encryption software was not updated to industry-accepted standards.
Settling With 41 States
The parent company to T.J. Maxx–which also includes Marshall’s and Bob’s Stores–has agreed to settle with 41 states. The total payout to states will be $7.25 million. An additional $2.5 million is being used to fund state “projects that ‘advance’ effective data security and technology,” according to computerworld.com.
The company has also agreed to upgrade its encryption and to limit how long credit card information is stored.
And, as is usually the case with settlements, the company has essentially denied any legal wrongdoing. Of course, in this case, it’s probably true: as far as I know, TJX never broke the law. They were supposedly in breach of PCI-DSS, which is a security standard in the credit card payment industry (i.e., it ain’t the law. But, hey, I’m not a lawyer…and some state AG’s think otherwise).
Other Costs Related to the Data Breach
The $10 million being paid out in this case is on top of other costs associated with the breach. TJX also agreed to settle with Visa back in 2007, paying out $41 million, no doubt to cover the costs of issuing new cards to the 94 million customers affected (reportedly in the $65 million to $80 million range).
Plus, there was the settlement with a customer class-action lawsuit that resulted in the “customer appreciation sale,” a three-day shopping spree where customers would have big, big! savings. There was a lot of disapproval regarding this: critics noted that this would benefit TJX, since lower prices drive higher traffic. On the other hand, no retailer wants to sell merchandise at lower prices that will eat into their profit margins.
So, it looks like a massive breach will leave a company $51 million in the red, and drag management’s attention away from its actual business operations for two years.
All because, if I recall correctly, a paltry (in comparison) $2 million couldn’t be found to upgrade the company’s wireless encryption.
Related Articles and Sites: