The impact of computer security breaches is not hypothetical. When such a breach occurs, the financial consequences are real and can be immediate. Thus, it is better to be penny-wise rather than pound-foolish, and companies would be smart on the front-end to take steps to prevent breaches from occurring.
The economic cost of unauthorized computer intrusions is illustrated by the first quarter earnings report of The TJX Companies, Inc.
By way of background, TJX refers to itself as the leading off-price retailer of apparel and home fashions within the United States and globally. TJX reports that it operates 830 T.J. Maxx, 763 Marshalls, 271 HomeGoods,127 A.J. Wright stores, and 35 Bob's stores in the United States. TJX also states that it operates 185 Winners and 69 HomeSense stores in Canada, as well as 211 T.K. Maxx stores in Europe.
According to its first quarter earnings report, TJX suffered unauthorized intrusions into portions of its computer systems that process and store information related to credit card, debit card, and check and unreceipted merchandise return transactions that were discovered during the fourth quarter of the prior fiscal year.
As a result, TJX has been engaged in an investigation of these intrusions; computer security and incident response experts have been assisting TJX with this investigation. TJX reports its belief that customer information was stolen and that this information primarily relates to portions of transactions at its stores (not including Bob's Stores) from 2003 through part of 2004, and from mid to late 2006.
The financial upshot is that TJX reports that it has recorded an after-tax charge of approximately $12 million for costs incurred during the first quarter relating to the intrusions, in addition to an after-tax charge of approximately $3 million for those costs recorded during the prior fourth quarter.
TJX states that these charges include costs to investigate and contain the intrusions, as well as costs to strengthen computer security and systems, costs relating to communications with customers, and for technical, legal and other related costs.
TJX notes that it is experiencing ongoing costs related to the intrusions, but at this time it cannot estimate a range for such costs or for potential exposure for losses. TJX points out that such costs and losses could be material to TJX's results of operations and financial condition.
Without knowing about and commenting on whether TJX took adequate steps to try to prevent the intrusions before they occurred, plainly, companies of all types should want to avoid costs of investigations, customer communications, and technical, legal and monitoring costs, not to mention potential exposure for related losses, that arise from computer system breaches.
Thus, companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security. While taking steps to prevent breaches bears a cost, that cost can pale in comparison to costs that are required once a breach happens.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at firstname.lastname@example.org. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.