The story for Target gets worse and worse. After admitting to a data breach in December of last year, the company has seen some of the worst that a data breach can bring to a company. Although regularly compared to the TJX data breach of 2005, it seems to me that even TJX didn’t have it as bad back then.
Breach Cost: $148 Million
According to cio-today.com, the Target data breach of 2014 has cost the company $148 million, if the company’s forecasts are to be believed (previously, other sources put the figure at $200 million and counting):
“In second quarter 2014, the company incurred gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable,” Target said in its earnings report. “Expenses for the quarter include an increase to the accrual for estimated probable losses for what the company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.”
Notice how the language implies these are costs directly related to the data breach itself. Other costs such as loss of client revenue (which slid 5% in the Xmas quarter over the previous year while competitors showed growth, according to latimes.com), falling stock prices in the market (a 19% fall at one point), loss of brand value, etc are not factored in. In light of this, outsiders’ $200 million figure is probably closer to the mark, if not the lower end of the estimate.
In addition, there is the cost associated with the loss of the CEO. Although the 35-year veteran resigned, it’s pointed out that it was a matter of time before he did so, seeing the extent of the breach. Finding a new CEO takes time and money, and a company could founder while the search is ongoing.
Was the Resignation Necessary?
While we are on the subject, should it really have cost Gregg Steinhafel his job? As far as I know, CEOs at retailers do not have IT backgrounds. How could Steinhafel have prevented or limited the data breach? The best he could possibly have done was to support the IT department to do whatever is necessary to secure Target’s client data.
Did he? Or was he instrumental in denying his IT guys the tools and other resources necessary for data security? For example, let’s take an example from the other data breach that Target’s is being compared to: TJX.
One of the stories that struck me about the TJX data breach (it’s the first thing I recall on the subject even now, seven years later) is that the company had knowingly implemented weak security as a cost-saving measure, and this had a direct effect on the company being hacked from its stores’ parking lots.
It’s a Different Game Now
As long as we’ve brought up some details concerning TJX, let’s explore a different face of the data breach: the fact that Target has lost sales, and that this seems to be tied to the data breach. Because competitors saw an increase in sales in the same period, and Target has had a history of performing stronger than its competitors, it wouldn’t be an inaccurate assumption to tie the depressed sales with the data breach.
Consequently, it wouldn’t be a far reach to assume that the value of Target’s brand has been negatively affected. Or to assume that the devaluation of the stock price is tied to either or both the lowered sales forecast and brand value / goodwill.
What’s exceptional about all of this is that it’s not exceptional at all. Logic dictates that all of this should happen. But, this was not what happened to TJX seven years ago. In their case, they saw increased year-over-year sales revenues. Their stock price didn’t really take a beating; it barely budged.
All of this went counter to what people were expecting. At one point, I theorized that TJX was doing fine because (1) the economy was so bad that people needed to shop somewhere, and you really couldn’t get lower prices than at TJX (the celebrated retailer Target it was not; the bigger you are, the bigger you fall); and (2) people still had no idea what being a victim of a data breach meant.
Fast forward seven years, and things are different.
The Tragedy of the Commons
There are a number of things about the ramifications of the Target breach that I don’t really agree on. Above all, I think the CEO should have stayed in his position absent of any improprieties regarding data security at the company. (Among other things, I believe that the concept of “once bitten, twice shy” is accurate when it comes to data breaches. Whereas an incoming CEO might think, “eh, it ain’t going to happen to me” and thus the renewal of the cycle.)
For example, consider this scenario: a CEO decides that, for cost reasons, he will not implement laptop encryption on company machines that are used by travelling sales reps who are authorized to store sensitive, personal data on these devices. This is a hallmark of a CEO who’s being shortsighted when it comes to data security.
It’s obviously a bad policy and if a data breach were to occur, the buck should stop at the CEO’s desk. But what if the CEO is very much pro-data security, has done all that he could, but a data breach occurs anyway? After all, data security is ultimately about risk management. A systematic risk exists in every data security scenario, one that cannot be eliminated, that can be equated to an act of God under particular circumstances: something that is expected to happen, but that no one knows when, where, how, or to whom.
If a sinkhole were to open up and swallow a Target store, would you hold the CEO responsible? After all, it will affect sales figures, which will in turn affect the stock price. It’s a given that survivors will sue the company. The brand will be tarnished (you should never underestimate the number of people who think that another Target store will suffer the same circumstances due to bad juju). I get the feeling, though, that the CEO would be fine in this case.
Of course, you could point towards all the security upgrades Target is currently undergoing and say that it’s obvious that the CEO didn’t do all that he could do.
What’s also true, however, is that, as far as I know, no other company in the US has undergone the kinds of security upgrades that Target is currently undergoing. By the end of all this, Target will potentially be one of the best protected retailers in the US, at least for a while.
Such a project is not easily undertaken without justifiable reason, especially if it costs millions of dollars. Money at such levels cannot be decoupled from opportunity costs and thus from competitive pressures. The forces that power the tragedy of the commons is obviously at play when it comes to data security. At the end of the day, it may require government intervention so that the playing field is leveled and no company feels that they’re taking a backward step by giving data security the level of attention it deserves (and others ignore).
Related Articles and Sites: