The “customer concern” argument for InfoSec is dead

Various news outlets are reporting that TJX has now been named in over 20 law suits, some class action. HarborOne Credit Union has apparently billed TJX $590k for costs and damage to brand .

TJX have reported an increase in sales of 5% according to Reuters yesterday. Analysts ere apparently expecting 3.9% so on that basis it has out performed market expectations.

TJX’s share price dipped by over 2.5% at one point after the two announcements.

What does this all mean?

Well, customers don’t care, revenue is up. I can’t find any details about profit levels and it is possible that TJX slashed their prices to “buy” the customer. However, if that is the case, they it’s simply a case of price compensates for poor security. If TJX did not slash their prices, then the consumer simply doesn’t care .

So, as an organisation, you can be shown to lose over 45 million credit card details, cause at least $8M worth of fraud transactions and still increase sales.

Surely, this means that one of the staple arguments for InfoSec, that of “Brand Protection” is dead and buried. No one cares.

That said, the share price dipped by over 2.5% after the announcements. Was that due to “poor” trading or because of the law suits? The results have outstripped analysts’ expectations so it doesn’t appear to be poor trading. This could suggest that the longer term effects of the law suits and the impact on profit levels from all the associated costs might be playing on shareholder’s minds.

I don’t know but the interesting point this raises is that maybe us Security Professionals have been trying to sell the wrong issue. Perhaps we should be selling “shareholder confidence protection” and not “consumer confidence protection”.

Worth thinking about, I reckon.