By Mark Melin, published on ValueWalk.com
The practice of companies using their own, non-GAAP accounting standards to spin earnings is nothing new. But did last week a statement from Target Stores go too far? The Minneapolis-based retailer’s spokesman Eric Hausman was quoted as saying it will exclude from its accounting statements costs from a recent technology breach where 40 million of its customer credit and debit card accounts were hacked, customer’s private information stolen.
The key question is: are these really one time charges? Is there any residual, lasting impact on the Target brand or customers sense of security going forward? Multiple sources reported that after the December data breach occurred, Target’s traffic and credit card sales saw a significant drop. Can Target claim definitely the event is really only a onetime cost?
As Bloomberg’s Jonathan Weil notes: “It’s not as if Target hasn’t had stuff stolen from it before, or that it doesn’t get sued on a regular basis. The difference is that the latest data heists were really, really bad. The upshot: Small losses count (think shoplifters). But losses stemming from the theft of personal data for tens of millions of customers don’t count, because those would be much bigger. Put another way, the bigger the losses are, the less they matter.”
The costs being excluded from the firm’s forthcoming earnings report includes “liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.”
Target’s Mr. Hausman was quoted as saying “It is a unique, nonrecurring event. This has never happened before. So it is not considered a part of our recurring operations.”
Pay attention to the concept that this is a unique, nonrecurring event when considering Target’s annual report which identifies several risk factors, including significant data security breaches that “could adversely affect our reputation and results of operations.”
If a firm identifies a potential risk, and then that risk occurs and costs the company money, can it be defined as a unique and non-recurring event? This is particularly interesting given the recent uptick in cyber security breaches and online crime. In the report 2013 Cost of Cyber Crime Study, HP and the Ponemon Institute said the cost, frequency and time it takes to resolve cyber attacks has risen for the fourth consecutive year. The report clearly shows a trend towards increasing costs of cyber crime, noting that the costs of solving cyber crime increased by 55% in 2013 when compared to 2012. Not only did the cost increase, but the time involved in solving the problems grew as well from 24 days in 2012 to 32 days in 2013. Perhaps most troubling is the fact the number of cyber crimes continues to rise, from 102 attacks per week in 2012 to an average of 122 in 2013. When investors consider the cost of cyber crime on earnings they consider that the costs a company actually incurs might be in the eye of the beholder.