When examining breach data, we seek to prove or disprove that a breach will substantially affect the bottom line.
Over time we have shown that a breach generally does not appear to have much of an impact on the company that had the breach (here, here). There are counter-examples: TJX appears to be one of them.
As the breach became wider in scope than thought, it resulted in a class-action lawsuit.
Some professionals may incorrectly conclude that TJX stock performance will suffer as a result of the lawsuit and therefore intuit that breaches may lead to impacting the bottom line.
We cannot outrightly conclude this in the TJX case: TJX profits were down 29% for 2006 due to business performance results (earnings). This pushed the stock down, not the initial breach. This ultimately means that they are no longer competitive in the market or that the company may be mismanaged. These are business issues independent from the breach.
In most other cases, we assume the earnings variable to be a relatively constant and stable variable. In addition, most breach announcements do not coincide with the earnings announcement. TJX is again an outlier in these respects too.
Any meaningful TJX breach analysis must take the earnings variable into consideration, otherwise it should be labeled as meaningless.
Popularity: 6%
7 Comments
Perfect article.
Here’s an interesting question – how many of Carol Meyrowitz’s peers do you think are now thinking “Man, I can’t let that happen to me, I better spend some money on InfoSec”?
FYI: The color of an orange depends on how old it is
Event studies lose power if they cannot isolate events of interest (eg., breaches) from others that may have occurred during the event window.
Unfortunately, “stuff happens”, and precisely because information about breaches does not magically appear everywhere at once, it is sometimes methodologically necessary to use a somewhat wider event window. Mandatory centralized disclosure would lessen this.
What are the factors that cause TJX to become an outlier, and what can Meyrowitz’s peers do to effectively leave her in that outlying state?
To clarify my question–what do her peers do to not be breached, and thus leave TJX as an outlier?
A program that can satisfactorily determine and reduce technological risk.
What are your suggestions, Adam?
Great question Adam.
Isn’t TJX already an outlier? How many $50 million dollar breaches are there?
But to answer your question – You know I can’t say “become PCI compliant”
It’s my (small sample size warning) experience that retailers, in general, don’t prioritize information risk management.
The argument the CISO would like to make is that spending a few million (more) on IRM budget would reduce the likelihood of incident. Therefore it makes sense to spend $5million to prevent the probable (or what’s more likely communicated, worst case) loss of $50 million.
The business owners tend to think more in terms of cash flow. I’m not saying that they like to make $50 million one time charge-offs, but outfits the size of TJX will accept them. On the other hand, taking $5 million in cash that could open several new stores or a new market and allocating it to a _potential_ loss situation – that’s just not compelling.
So therefore, I’d have to say that maybe – MAYBE – Ms. Meyrowitz’s peers are making the right business decision if they’re don’t doing anything and roll the dice.
It’s all in the utility of that $5 million they could spend to upgrade their IRM program, isn’t it?