Topps Meat Company: 0157:H7 E.Coli, Breaches & You…
A few days ago, Topps Meat company, a 67-year old company and one of the largest producers of frozen meat products in the country, shut its doors for good.
Why?
They had a breach of the sanitation persuasion. From the NY Times:
Topps Meat Company, one of the country’s largest manufacturers of
frozen hamburgers, said today it was going out of business after it
recalled more than 21.7 million pounds of ground beef products last
month.The company, based in Elizabeth, N.J., said a few of its 87 employees will remain at the plant to help the United States Department of Agriculture investigate how the E. coli bacteria tainted frozen hamburger patties made there.
Anthony D’Urso, the chief operating officer at Topps, said the company
was unable to withstand the financial burden of the recall.
“This is tragic for all concerned,” Mr. D’Urso said in a statement. “In
one week we have gone from the largest U.S. manufacturer of frozen
hamburgers to a company that cannot overcome the economic reality of a
recall this large.”
On Sept. 25, the United
States Department of Agriculture announced a recall of frozen hamburger
patties from Topps, saying that the meat was potentially tainted by E.
coli bacteria. Officials at the agency conceded that they knew that
meat from Topps was contaminated on Sept. 7, when the first positive
test results for E. coli came back.
The financial strain associated with a recall of spoiled meat in a single week killed them.
So what does this have to do with data breaches?
When the ChoicePoint scandal hit, we saw Card Services shutter due to direct economic pressure (they could no longer process credit cards) brought about by the fallout from data breaches, but contrast that with the experience of a recent "breacher" such as TJX and some might argue that not only has it not actively impacted their P&L negatively, but it’s made them a better, stronger and more profitable company. The figures don’t lie:
After the TJX debacle I remember seeing predictions that people will vote with their feet. Of course they didn’t, sales actually went up 9%. The same argument was made for Ruby Tuesdays who lost some credit cards. It just doesn’t happen. Lake Chad and disasters on a global scale continue to plague us due to climate change yet still people refuse to stop buying SUV’s.
Check out the chronology of security breaches from the Privacy Rights Clearinghouse. The total
number of records containing sensitive personal information involved in security breaches:
167,308,738
That number is mounting every day
and some of these breaches you don’t even hear about in the press.
Have we become so
desensitized to this breach fiasco that it’s become just a mild
inconvenience? Or is it that credit card number losses have been subconsciously classified outside of the scope of "identity theft?"
Think about it. Having your credit card number stolen is really, in the scope of things, not that big of a deal. You call the CC company, dispute any charges you didn’t make, they close the account and despite the inconvenience, that’s it. Then a new card shows up in the mail, sometimes with a larger spending limit! Sweet!
The liability is minimal. It’s happened to me twice. My credit wasn’t impacted, my life didn’t end. In fact, I got a card with a cool Koi on it that matches one of my tattoos. I’m not saying it goes that "well" for everyone, but what’s the impetus for consumer outrage?
As soon as the liability is shifted away from the banks who suck it up and take the hit (as do the vendors whose merchandise is stolen,) and moves closer to the consumer, we’ll see some agitation and consumer outrage.
Until then, I suppose we’re content to just go on eating spoiled meat (as it were) and get a new credit card number every three months until a company like Topps — or rather one that people really care about — goes through the meat grinder and closes its doors.
Where’s the beef?
/Hoff
The difference is that the Topps failure was in their core industry, but TJX's failure wasn't. TJX's failure had an impact, and will continue to have an impact, but did not impact their ability to deliver goods to retail customers. An equivalent failure to what happened to Topps would be if a large percentage of the goods TJX sold through their many retailes had to be recalled because it was making their customers sick. A data theft issue for TJX doesn't threaten their line of business.
No impact to P&L ? They have publicly stated that it did impact their P&L in a major way… A $128 million dollar charge which negatively impacts earnings per share by 25 cents this year and another 5 cents next year. Revenues have continued to do well (btw, most people look at same store sales as a better metric for retailers rather than overall revenue) as you point out. Given the rapid growth of the top line in addition to a $1 billion share repurchase (7% of market cap) and the stock is just now trading at the same level it was at the time of the intrusion indicates that this did cost them upside on their market cap for a period of time (perhaps).
I tend to agree with Walter Williams comment above. Credit Card processing is not the core business of TJX, as it was for Card Systems. But still, there are many anomalies I have trouble explaining.
When you ask the question "What about Choicepoint?" They are a data processing company and you with think that data management would be part of their core business, and the security of that information would be essential. Still, they appear somewhat unaffected. Is it because they tend not to due business with Joe Consumer, rather large institutions? Reed Elsiver and any of the 50 (give or take) Lexis-Nexus breaches? It does not seem to have affected their business or stock price. And one of the more interesting ones, the Axiom breach, their biggest customers continued to do business with them, but only after requiring them to change security practices and submit to periodic audits.
I know we all like to quote Ponemon Institute for their study on the costs of data breaches and the like, but I don't think that is the most appropriate one I have seen. There was a study out of the Hoover Institute at Stanford University a couple of years ago, tracking the stock price of companies post data breach. The results of the study at first appeared random, and stock price might be up or down within the 6 to 9 months post breach. The only opinion that was gleaned, from interviews and press release reviews, was that the companies perceived to be competent, confident in their ability to resolve the issue and had a concrete plan of action saw the stock stay the same or rise. Companies with a poor message and response, the stock lagged. This is far from concrete evidence, but it appears to me that a marketing & PR data theft plan of action tends to be the most effective preservation of brand value and stock position. I am not trying to advocate PR as a mask for bad security, but it appears to help guard against the public fallout.
@Toby:
Methinks I should restate based upon your financial analysis fu which is obviously better than mine. I should have been more careful in what I said…thanks for the schooling here. 😉
What I *should* have said is that ultimately given their topline revenue growth, consumer confidence (including my wife's) has not swayed people from shopping there.
Since I've got you on the line ;), it does make me suspicious, however, when companies experience a breach and then take a charge like this if it's a way of burying other costs for infrastructure upgrades and compliance activities that would otherwise appear "too expensive" to account for as a normal CapEx/OpEx activity?
Should I shut up and stop reaching or could you see this happening?
@Adrian & Walter:
Good point regarding core vs. ancillary/enabling business functions. It's readily apparent that a data theft doesn't threaten their core line of business…but I find it hard to believe that if they were unable to take CC as payment if we'd talk about it the same way.
I totally agree with you regarding messaging and response/PR. Just look at the Ameritrade debacle…
Guys, you'll have to excuse me as I learn to work these discussions differently; I've realized that if I write a big old post and explain all my thinking logically, nobody comments. When I leave big ass gaps in my logic, y'all jump in and make some really good points.
It's hard to make looking stupid so easy 😉
Thanks,
/Hoff
I think you are right…it would be possible to cover up costs this way especially since wall street typically looks at these costs as one time hits. Typically companies do like TJX did and call these "special charges" and then provide wall street two sets of operating numbers…gaap and then non-gaap which excludes special charges…in effect the investors don't see this as a continuing expense.
Just wanted to echo the sentiments above, which they beat me to the punch about. TJX's core business wasn't really affected, but ChoicePoint and Topps had their entire revenue-generating processes interrupted for longer than they could tolerate. (Wow, 1 week?)
Still, that's an interesting, logical, and somewhat disheartening idea…that maybe security isn't all that important (social ethics and obligations aside) when it's not really what is generating your revenues. I would suppose that Amazon getting its databases exposed and stolen would impact them a heck of a lot more than TJXs brick'n'mortar operations.
Then again, we're typically not a good general public when it comes to paying attention to the things that really matter and instead making a whole hell of a big deal about Britney Spears or some other trivialities…
Perhaps TJX is also large enough that absorb the hit they suffered, whereas ChoicePoint and Topps simply aren't big enough to withstand such a hit.
Nothing bad ever comes of credit card fraud. Or maybe it does. http://www.emergentchaos.com/archives/2007/04/buy…
Card issuers outside the US aren't constrained by Reg E, and don't have to offer $50 limits.
Debit card theft can lead to drained bank accounts, overdraft fees, etc, before/if you get your money back.
I'm surprised it hasn't been bigger. Perhaps desensitizaton was a good plan…
@LonerVamp: Yup. You're exactly right. In the grand scheme of things, if the money allocated for security doesn't protect the things that matter most and affect your core business, a GOOD BUSINESS DECISION (I know I'm on the edge here…) would be not to invest.
That doesn't mean that from an ethical and social obligation perspective that a company shouldn't follow it's "heart" and do what's right, but that rarely happens.
That's why these breaches will continue to happen – the cleanup is merely acceptable risk with losses that are slightly painful.
Nasty.
@Adam:
I know first hand about that. My last experience was less painful but I once had a series of successive Debit Card withdrawls removed electronically from my account via ACH and it took weeks to get my money back…to the tune of $2600. Straight out of my checking.
/Hoff