Inside 1to1:Privacy

TJX Customers Trust a Bargain

June 1, 2007

By Don Peppers and Martha Rogers Ph.D.

When retail behemoth TJX revealed in January that thieves had invaded its systems and stolen a wealth of consumer data, most observers expected the company would feel a profound impact. Given all the studies that illustrate heightened consumer concern about privacy and security issues, pundits speculated that consumers would register a vote of no-confidence by shopping elsewhere, punishing the retailer for the lengthy security compromise that exposed credit and debit card information for nearly 46 million customers.

However, when TJX unveiled its fiscal results for the quarter that ended April 28, the company reported sales were up 6 percent from the same period last year.

But there is little doubt that the undetected 18-month intrusion into the company's computer system has staggering costs. The parent company of TJ Maxx, Marshall's, HomeGoods and other stores, reported last week that breach-related costs have totaled $20 million so far. Lawsuits are mounting. Attempts to restore the company's flagging reputation are under way, perhaps starting in earnest earlier this month when the company's new chief executive apologized for the breach during its annual shareholders meeting.

Amid the escalating costs and uncertainty on the company's bottom line, loyal customers seemed undeterred when it came to hunting down a bargain at their favorite TJX store.

Welcome to the era of privacy and security schizophrenia, where consumers' apparent no-tolerance policy for breaches often has different results at the cash register.

" 'Schizophrenia' is a good word for it," says Dr. Larry Ponemon, CIPP, Founder and Chairman of the privacy/data think tank The Ponemon Institute. "People are often shocked and dismayed when they find out that an organization has had a privacy or security issue. But more and more often, their behavior after it doesn't reflect that disappointment."

Ponemon points to his organization's "Most Trusted Companies For Privacy" study of the banking business, which illustrates a similar disparity. The first time the Institute conducted this study, it found that people weren't especially fond of the convenience roadblocks posed by online security measures.

"We'd ask, 'If you forgot your password, what would be an acceptable amount of time for the bank to get you a new one?' They'd be like, 'Right away! Right away!'" Ponemon said. "They've shown more of a willingness to forego some of that convenience in exchange for better privacy, but you can still sense some impatience."

So how can we reconcile the TJX breach with consumers' apparent willingness to forgive, no matter what they say about privacy when formally asked? The surveying/studying methodology itself could have something to do with it, especially when it clashes with real-world convenience.

"In some of the studies, the question is phrased as, 'If a retailer put your privacy or security at risk and exposed you to identity theft, would you continue to do business with that company?' When it's put that way in that setting, the person responds by saying, 'No way! Never!'" explained Jennifer Barrett, Chief Privacy Officer of information-management firm Acxiom. "But a month after that, if that person needs to buy something on the way home and that retailer is the most convenient place to go, the person will usually buy there."

Peter Vogel, a Partner in the Dallas law firm Gardere Wynne Sewell, Chair of the Texas Supreme Court Judicial Committee on Information Technology and an adjunct professor of computer law at Southern Methodist University Law School, agreed. "We're all pragmatists," he said, adding that an organization like TJX also might be benefiting from consumers' false sense of security. "People think that once an organization has a security or privacy issue, there won't be a second one. They believe the problem gets addressed and won't happen again."

And don't rule out the TJX value proposition. The company's retail brands are associated with convenience and low cost -- and customers return again and again in search of a bargain.

A final explanation is the one that worries privacy/security advocates most: that consumers have become so inured to the frequent reports of breaches that they no longer pay them much notice. "You wonder if people have grown complacent," Ponemon adds. "Hopefully we haven't reached the point where people put a breach in the same category as one of those Gramm-Leach-Bliley privacy notices that nobody reads anymore."

The larger question for TJX is how it goes about winning the trust of new potential customers and repairing damage to relationships with existing customers. As the costs of lawsuits and potential fines to regulators mount, the company must contend anew with the impacts on its reputation.