The High Cost Of Identity TheftThe High Cost Of Identity Theft

Besides a series of annoying TV commercials, the real-world impact of identity theft is much debated these days. Finally, there are some cold, hard numbers.TJX, the poster child for grandiose data theft, said yesterday that its second-quarter profit fell by 57% due to a $118 million charge related to "unauthorized computer intrusion(s)."

"We have continued to learn more about the computer intrusion(s) and are now able to estimate the Company's liability," said TJX CEO Carol Meyrowitz, in a statement.

To recap: TJX, the parent company of T.J. Maxx, Marshall's, and other discounts retail chains, announced in January that it had suffered the compromise of more than 45 million customer records sometime over the previous year and a half. That customer data has started turning up recently in identity-theft schemes, particularly in Florida.

As a result of the data breach, TJX is being sued by a couple of class-action-lawsuits worth of customers and several banks. TJX still claims not to know much about the hacker break-in(s), including whether it was one big heist or a series of hacks (thus the parentheticals).

TJX already had taken a total of $17 million in charges related to the data theft in its previous two quarters. As for the $118 million:

"This charge includes $11 million (after tax), or $.02 per share, for costs incurred during the quarter, as well as a reserve of $107 million (after tax), or $.23 per share, for the Company's exposure to potential losses. This reserve reflects the Company's estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal and other costs and expenses, arising from the intrusion(s). In addition, TJX expects to incur future non-cash charges of approximately $21 million (after tax), or $.05 per share, that are not included in this reserve and could be recorded in fiscal year 2009. Together, these cash and non-cash charges represent the Company's best estimate of the total losses the Company expects to incur as a result of the computer intrusion(s)."

Identity theft is not a major priority for CIOs. According to information Research's most recent Information Security Survey, only a fourth of the more than 1,000 U.S. respondents cite "Customer-data theft by outsiders" as a top security priority, which made it fifth on the list behind viruses, spyware, spam, and "unauthorized employee access to files and/or data." Of the 804 respondents reporting network intrusions last year, only 9% admit to identity theft. Strange, because almost a third admit to phishing attacks -- and isn't phishing one of the leading forms of identity theft?

Fueling the perception that identity theft isn't a big problem is a recent Government Accountability Office report entitled: "Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft Is Limited; However, The Full Extent Is Unknown." The title tells it all. In examining a number of data breaches, the GAO was unable to find a direct link with identity theft in the majority of cases. Also strange -- I can find several sites that will sell me somebody's personal data in about a half-hour's worth of Web surfing.

So, finally, with TJX's quarterly report, here are some stark numbers that should bring home for CIOs the potential cost of identity theft. There's a bottom line to everything, and for identity theft, this should be it.