A five-month-long Home Depot data breach that led to the theft of upwards of nearly 60 million consumers' credit card numbers and other personal data reopened gaping holes in U.S. credit card security. It also left Home Depot vulnerable to critics who say it didn't do enough to safeguard its customer's sensitive data.
“Data breaches can clearly hurt a merchant’s reputation,” says Matt Schulz, senior credit card industry analyst for CreditCards.com. "However, it’s incredibly important for merchants to be as transparent as possible and to make decisive moves that will have a real impact.”
According to The New York Times, Home Depot's data security has been an issue for some time. Employees accused the company of dragging its feet in responding to this year's breach, but in 2012 it hired a computer engineer who had previously been sentenced to prison for tampering with other employers' computer systems.
That's a whole lot to overcome, especially when the 56 million credit card numbers lost during the breach made the 40 million numbers Target (TGT) lost during its credit card breach in 2013 seem paltry by comparison. That even topped the 46.5 million numbers that TJX (TJX) stores including T.J. Maxx and Marshall's coughed up after a breach of its payment systems in 2007.
According to Bill Wohl, vice chairman of the U.S. Reputation Leaders Network, part of the Reputation Institute research and advisory firm focused on corporate reputation, research on companies that experience data breaches reveals enormous damage to a company's reputation in each instance.
"For example, while Target's reputation scores have been declining for some time, the largest drop was in the last year alone, and the largest of any U.S. company," Wohl says. "Since 2011, Target's CSR score -- a measure of the enterprise dimensions of reputation that include 'workplace,' 'governance,' and 'citizenship' -- fell dramatically, the largest drop among any U.S. retail company in the same time frame."
That blow to a company's reputation is costly, as merchants have to shell out big money to update security in an attempt to win back customers. TJX paid $256 million the year after the breach to help customers clear up their credit records and to address the legal claims of those who couldn't. When 20% of customers took the company up on its offer for a free credit watch, it became a huge portion of the $1.24 billion TJX would have to spend on public relations, internal investigations and other related costs.
However, the buying public rewarded the effort by not only inflicting negligible damage during the quarter when the breach was announced, but driving sales up 9% during the following quarter.
"I think that consumers are more likely to forgive a major data lapse -- and continue shopping with the retailer -- if they’re confident that the retailer is up front with them about what happened and that moves are being made to prevent it from happening again," Schulz says.
When that doesn't happen, companies pay the price. Target had its breach occur right in the middle of last year's holiday shopping season and was unable to stop it despite spending $1.6 billion on security software just six months before to prevent such an attack. The software worked and alarms went off, but the company failed to act. That failure resulted in dozens of lawsuits against the company and a $61 million effort by Target to respond to customer concerns. That cost Target 46% of its holiday profits compared to a year earlier, with legal costs still mounting.
Those tracking the damage to Target's reputation after the breach say the result for the retailer has been disastrous. The Reputation Institute tracks how incidents affect the number of shareholders who "would buy" or "would recommend" a company's stock and found that only a chain that's spent the better part of a decade racking up losses and failing to invest in its stores fared worse than Target.
"Target has the second lowest percentage in the retail industry, ahead of only Sears, for these measured behaviors," Wohl says. "While each company's situation is unique, the impact of the data breach at Target on reputation is at least a leading indicator of potential reputation concerns for other companies, like Home Depot, and reinforces the seriousness of the reputation risks associated with data breaches."
In Home Depot's case, its recent data breach prompted the retailer to do what most U.S. retailers had refused to do until October 2015: Ditch magnetic-strip cards and embrace European-style chip-and-pin payment technology. EMV cards -- which take their name from Europay/MasterCard/Visa -- contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. There isn't a magnetic strip with all a user's data embedded in it and there's a far smaller chance of a chip-and-PIN user's data being stolen.
It's estimated that 40% of the world's cards and 70% of its terminals outside the U.S. are using the EMV cards. Visa says 62% of its transactions outside the U.S. use EMV technology. However, neither merchants nor banks, credit unions or other financial institutions are in any rush to embrace EMV because of the estimated $8.65 billion cost of replacing cards, terminals and ATM machines throughout the U.S.
The U.S. government set an October 2015 deadline for a "liability shift" that, for the first time, would put merchants on the hook for the entire cost of a data breach if they refused to accept payments from cards using EMV technology. Home Depot now says that technology will be rolled out at its U.S. stores by "early 2015." It is also offering free identity protection services and credit monitoring to any customers who used their cards at Home Depot stores from April 2014 to present. Home Depot's share price is still up 12% year-to-date and 21% since last September, but customers' reaction to its handling of the data breach and its early embrace of more secure chip-and-pin technology will determine how well its finances and reputation remain intact.
Americans are becoming more savvy about the impact of those tools, and if a retailer can be seen as being on the forefront of acceptance of them, it can be helpful, Schulz says. "On the flip side, the worst thing that a retailer can do is nothing."
This article is commentary by an outside contributor and separate from TheStreets news coverage.