TJX Data Breach: Ignore Cost Lessons and Weep

The Department of Justice’s indictment of 11 people for hacking nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers highlights the global scope of today’s hacker threat. While monetary costs are bad enough, the damage to reputation and the resulting loss of business can be considerable.

According to the Associated Press, the indictment alleges that the hackers installed programs to capture card numbers, passwords and account information, and then concealed the data in computer servers that they controlled in the U.S. and Eastern Europe.

Considerable Costs to the Business

“If you take those 41 million cards and assume a one-to-one ratio with each card to an electronic file, and multiply 41 million by the $300 plus it costs to recover the information per file, you have about $12.3 billion in costs,” says MacDonnell Ulsch, director of technology risk management and privacy expert for Jefferson Wells, a global provider of professional services. That’s before getting into legal settlements, civil litigation costs and so forth. “It is a big problem.”

“Potential consumer backlash from this incident is another key aspect to consider,” says Kevin Newmeyer, worldwide principal of strategic security and counterterrorism at Unisys. “The Unisys Security Index, for example, reveals that 70 percent of U.S. consumers are significantly concerned about someone stealing their identity and misusing personal information. These also rank as the top consumer security concerns globally.”

Companies that fail to take steps to secure electronic data will face direct costs of loss of client information and perhaps, more important, the trust of their customers, notes Newmeyer. However, guarding personal information will give a business advantage in a competitive marketplace.

“How companies manage risk is critical, and the outcome can hurt financially or it can hurt their reputation, which places a long-term problem in front of a company because it will have to regain the integrity that has been taken from its customers,” adds Ulsch.

An Escalating Threat

While much still remains unknown, experts believe it’s likely that the global scope of this case may just scratch the surface. Some speculate that today’s hacker threat may be a much larger issue that involves organized crime, international narcotics trafficking and even terrorist financing.

“It gives us a very good view into the geographic distribution, jurisdictional issues and the complexity of identity theft today, because it involves multiple nations, different types of privacy laws, and is an example of the complexity involved in pursuing the ‘bad guys’ who are often part of a global organized crime effort for identity theft,” says Ulsch.

Mitigating the Risk

Criminals today are well-versed in using technology to accomplish their goals and are often able to commit crimes with minimal physical risk of detection or intervention. If you are breached, some simple steps can make your data less appealing.

“While simple encryption is not foolproof, it works much like locking your car,” says Newmeyer. “The car thief wants to take the car that he can easily steal and sell. If you make your car harder to steal, they are likely to find another one that is more accessible.”

Also, good governance plays a major role in risk management. Ulsch says companies need to create an environment of controls. You need integration of security standards, privacy requirements and information governance, as well as risk management to deploy an integrated framework for managing risk over critical information.

These five initiatives cannot occur with any degree of success or regularity without executive awareness, mainly because managing your risk costs money, Ulsch notes. “Until the audit and risk committees of the board of directors, and until CEOs, CFOs and so forth buy into the notion that these are secrets worth protecting, then we will continue to have these problems. The solution is contingent upon executive awareness and the desire and ability to do something about data protection in a meaningful way.”

What It Means for Business

For many businesses, it still boils down to cost and not “unquantifiable” reputational harm. Many of the costs of the breaches have been borne by the credit card companies up to now, but that’s beginning to change. And as it does, companies will see an impact on their bottom line.

“At present, the credit card companies are liable for much of the fraud taking place,” says Newmeyer. “Recent court cases, however, are starting to shift some of the burden to businesses themselves.”

Newmeyer recommends several steps businesses can take:

• Be vigilant about security policies and practices to safeguard the information.

• Quickly admit to breaches; bad news doesn’t get better with time.

• Establish relationships with law enforcement, including public-private partnerships such as the Secret Service’s Electronic Crimes Task Forces.

• Ask your IT services provider, or internal staff, when they last performed a security assessment of the enterprise.

Adds Newmeyer, “Look at security not as a cost center but as a vital element in your business that is necessary to develop and protect your relationship with your customers.”