[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Perspective: Who says security breaches are small potatoes?


By Eric J. Sinrod
May 23, 2007

perspective - The impact of computer security breaches is not 
hypothetical. The financial consequences are real and can be immediate.

The economic cost of unauthorized computer intrusions is illustrated in 
the first-quarter earnings report posted by TJX Companies.

By way of background, TJX refers to itself as the leading off-price 
retailer of apparel and home fashions within the United States and 
globally. TJX operates 830 T.J. Maxx, 763 Marshalls, 271 HomeGoods, 127 
A.J. Wright stores, and 35 Bob's Stores in the United States. TJX also 
states that it operates 185 Winners and 69 HomeSense stores in Canada, 
as well as 211 T.K. Maxx stores in Europe.

According to its first-quarter earnings report, TJX suffered 
unauthorized intrusions into portions of its computer systems that 
process and store information related to credit card, debit card, and 
check and "unreceipted" merchandise return transactions that were 
discovered during the fourth quarter of the prior fiscal year.

TJX has been investigating the intrusions with the assistance of 
computer security and incident response experts. Management believes 
customer information was stolen and that this information primarily 
relates to portions of transactions at its stores (not including Bob's 
Stores) from 2003 through part of 2004, and from mid- to late 2006.

The financial upshot is that TJX recorded an after-tax charge of 
approximately $12 million for costs incurred during the first quarter 
relating to the intrusions. That's in addition to an after-tax charge of 
approximately $3 million for costs recorded during the prior fourth 

The charges include costs to investigate and contain the intrusions, as 
well as to strengthen computer security and systems. It also includes 
costs relating to communications with customers and for technical, legal 
and other related charges. The company continues to experience ongoing 
costs related to the intrusions, but still cannot estimate a range or 
its potential exposure. Such costs and losses, it says, could wind up 
being material to TJX's results.

Without knowing whether TJX took adequate steps to try to prevent the 
intrusions before they occurred, there are obvious lessons here. 
Plainly, companies of all types should want to avoid the costs of 
investigations, customer communications, and technical, legal and 
monitoring costs--not to mention potential exposure for related 
losses--which arise from computer system breaches.

Thus, companies should educate themselves now, if they have not done so 
already, as to how best to strengthen their computer security. Breach 
prevention bears a cost. But that expense pales in comparison to what a 
company will spend after a breach takes place. Better to be penny-wise 
rather than pound-foolish, and companies would be smart on the front-end 
to take steps that prevent breaches from ever occurring



Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. 
His focus includes information technology and intellectual-property 
disputes. To receive his weekly columns, send an e-mail to ejsinrod (at) 
duanemorris.com with "Subscribe" in the subject line. The views 
expressed in this column do not necessarily reflect those of Sinrod's 
law firm or its individual partners.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com