Analysts: TJX case may cost over $1b

Insurance, tax credits could trim expenses for Framingham firm

If the loss of millions of customer credit- and debit-card records from TJX Cos. plays out like previous data-breach cases, the final cost of the theft could add up to more than $1 billion, some technology analysts say.

The exact cost to TJX itself is unclear and may be lower. Insurance and tax credits may offset the Framingham retailer's expenses, which could be spread over several years. Banks that issue the credit cards may also have to pick up part of the costs.

Regardless, the liability would be among the highest associated with lost or stolen data, say analysts. They arrived at their estimates by comparing the cost of breaches at other companies in areas such as technology upgrades, contacting customers, reissuing cards, and lost customers.

Because TJX's breach was so extensive, they say, regulators and business partners will be looking for hefty penalties. "When you hit a million or more records, then you get much more scrutiny," said Jon Oltsik, senior analyst for Milford consulting company Enterprise Strategy Group, who is among those who estimates that the TJX breach could cost more than $1 billion.

TJX, which operates stores such as TJ Maxx, Marshalls, and HomeGoods, has said it spent $5 million through the end of January on costs such as technical and legal fees and customer communications related to the breach. The company believes that hackers tapped into its computer system and compromised more than 45 million customer records going back as far as 2003, the largest data breach to date.

In a recent securities filing, TJX said it may incur unspecified losses due to claims by banks, customers, and shareholders, and from costs like technical and legal expenses, all of which "could be material to our results of operation and financial condition."

TJX spokeswoman Sherry Lang called the $1 billion cost estimates "pure speculation by people who are outside the company." She said it is hard to compare the cost of TJX's breach with previous cases since every example has "many variables and no two situations are the same, and no two companies are the same."

So far, investors and Wall Street analysts haven't reacted strongly. TJX's shares closed at $27.82 yesterday, compared to $29.85 on Jan. 16 the day before TJX disclosed the matter. One reason is that most investors don't expect the final costs to be so significant.

"The worst case here is that there's some financial penalty to them, and I don't see how it could be major in relation to their business," said Richard Pzena of Pzena Investment Management LLC in New York, one of TJX's largest shareholders.

A recent report from Forrester Research of Cambridge estimated breaches have cost companies between $90 and $305 per lost record, including notifying customers, hiring contractors to fix computer systems, fines, and lost business. The report did not specifically analyze TJX's costs.

Using the low end of Forrester's range, $90 per card, multiplied by the 15 million unexpired debit- and credit-card records TJX says were compromised, yields a figure of $1.35 billion. (TJX said an additional 30 million or so cards were compromised but had expired, in theory making that information harder to use fraudulently).

Forrester study author Khalid Kark said in an interview that $1.35 billion is a realistic minimum estimate of TJX's costs over several years, though he acknowledged it could be lower because of insurance and other factors. But Kark added that regulators and business partners like banks are primed to seek big payouts from TJX amid increasing concerns about protecting customer data and will be "looking for a scapegoat, basically. "

TJX already faces more than a dozen lawsuits seeking damages over the breach. One brought by AmeriFirst Bank of Alabama seeks to represent other institutions that will have to reissue credit cards at a cost of $20 each, money it seeks to recover from TJX.

A study by Michigan data privacy researcher Larry Ponemon of 31 breaches last year found such incidents cost firms about $182 per compromised record, though no incident cost a company more than $22 million.

In an interview, Ponemon estimated TJX's costs might wind up in the hundreds of millions of dollars, less than other estimates. For one thing, cleanup steps like protecting databases cost the same no matter how big the breach. The total would only exceed $1 billion if many cases of identity theft crop up and force TJX to increase advertising spending or take other steps, he said.

"The jury's still out on this," he said.

Joel Winston, a privacy official for the Federal Trade Commission, said he is aware of cost estimates of lost records, but said expenses may be lower depending on what information is lost. He said he couldn't discuss TJX's case specifically, however.

Pzena, the investor, said he doesn't think TJX's costs will amount to much. He noted there could be offsetting tax deductions, and others said insurance payments could also mitigate TJX's long-term costs.

"They could handle it out of their cash flow over the next few years, if necessary, so it doesn't threaten their financial viability," Pzena said. For the 12 months ending Jan. 27, 2007, TJX reported a profit of $738 million on sales of $17.4 billion.

Pzena also noted TJX recently increased its dividend and authorized repurchasing more shares. "They don't seem to be worried that there is a significant cash drain coming in the near future," he said.

Ross Kerber can be reached at kerber@globe.com.