1 Page research paper

UV7357 Oct. 6, 2017

This case was prepared by Justin J. Hopkins, Assistant Professor of Business Administration. It was written as a basis for class discussion rather than to illustrate effective or ineffective handling of an administrative situation. Copyright  2017 by the University of Virginia Darden School Foundation, Charlottesville, VA. All rights reserved. To order copies, send an e-mail to [email protected]. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the permission of the Darden School Foundation. Our goal is to publish materials of the highest quality; please submit errata to [email protected].

Target Data Breach: Accounting for Contingent Liabilities

It was December 19, 2013, and Josiah Thrasher had just hung up the phone. His grandmother was very worried about the news disclosed that day that millions of credit cards were stolen from Target Corporation (Target) because she loved shopping at Target and was not sure what the news meant for her. Was she at risk of fraud? Thrasher was not sure what it meant for himself, either, as Target was a publicly traded company (NYSE: TGT) in his portfolio of investments. Thrasher figured it was worth the time to get to the bottom of the story.

He read the press release Target issued, which indicated that 40 million credit and debit cards belonging to customers who had shopped at Target stores from November 27 through December 15, 2013 had been compromised.1 The next day, Target issued two press releases. The first reassured customers that they would not be responsible for any fraudulent charges to their cards, and the second was a more personal message from the CEO, Gregg Steinhafel, which confirmed Target’s commitment to its customers and offered a 10% discount for all shoppers on December 21 and 22.2 “That seems generous,” Thrasher thought, but he wondered who would shop at a store that had just been hacked. The next several days were busy for Target’s public relations group, and it continued to issue security updates throughout December.

What bad luck to be on the receiving end of the largest hack of a retailer in history, right in the middle of the busiest shopping season of the year! Luckily for Thrasher, though, Target’s stock had barely budged (Exhibit 1). While the Internet was full of discussion about the breach, very little of it related to the costs Target was likely to incur. Target had just filed Q3 results on November 27, 2013, and would not file year-end results until March because, as a retailer, it had a fiscal year that ended on an unusual date. The current fiscal year would end on February 1. Thrasher would have to wait until then to figure out the extent of the financial damage caused by the data breach.

About Target

In 1902, George Draper Dayton purchased a parcel of land on Nicollet Avenue in Minneapolis, Minnesota, and founded Dayton’s Dry Goods Store. Dayton’s belief in “the higher ground of stewardship” focused on providing dependable merchandise at a fair price and a generous spirit of giving. This spirit led to, among other donations, the creation of the Dayton Foundation with a $1 million grant. The company grew rapidly, changed

1 Target Corporation press release, December 19, 2013. 2 Target Corporation press release, December 20, 2013.

For the exclusive use of S. Chou, 2021.

This document is authorized for use only by Shih-Chu Chou in 2021.

Page 2 UV7357

its name several times as it merged with other retailers, and took the name Target Corporation in 2000.3 As of 2014, Target operated nearly 2,000 retail stores in every state in the United States (except Vermont) and Canada.4 It was the second-largest discount retailer in the United States, employing 366,000 full-time, part-time, and seasonal employees, and it was listed on the S&P 100.5 Dayton’s philosophy of stewardship and giving pervaded the corporate culture; as of 2017, Target ranked number 44 among Forbes’s list of most-admired companies. It ranked first in its industry for social responsibility, and its community giving was widely recognized.6 A recent report from the Chronicle of Philanthropy indicated that Target had donated over $215 million in cash and products, or 4.4% of its pretax profits in 2015, to causes dedicated to children and youths, education, health, and hunger.7

Target Corporation 2013 Financial Results

On March 14, 2014, Target issued its 2014 annual report. Thrasher could not help but notice the prominence Target gave to the data breach. Discussions of its effects began on page 2 and were repeated throughout the 10-K. Just out of curiosity, he searched the report for “data breach” and found 70 hits! The management discussion and analysis (MD&A) included nearly two full pages about the breach, but the breach was also discussed in the description of the business, risk factors, and several other places in the annual report.

Additionally, Thrasher found another disclosure later in the MD&A that described Target’s accounting for legal and other contingencies as follows:8

Legal and other contingencies: We are exposed to other claims and litigation arising in the ordinary course of business and use various methods to resolve these matters in a manner that we believe serves the best interest of our shareholders and other constituents. When a loss is probable, we record an accrual based on the reasonably estimable loss or range of loss. When no point of loss is more likely than another, we record the lowest amount in the estimated range of loss and disclose the estimated range. We do not record liabilities for reasonably possible loss contingencies, but do disclose a range of reasonably possible losses if they are material and we are able to estimate such a range. If we cannot provide a range of reasonably possible losses, we explain the factors that prevent us from determining such a range. Historically, adjustments to our estimates have not been material.

We believe the accruals recorded in our consolidated financial statements properly reflect loss exposures that are both probable and reasonably estimable. With the exception of Data Breach-related loss exposures, we do not believe any of the currently identified claims or litigation will materially affect our results of operations, cash flows or financial condition. However, litigation is subject to inherent uncertainties, and unfavorable rulings could occur. If an unfavorable ruling were to occur, it may cause a material adverse impact on the results of operations, cash flows or financial condition for the period in which the ruling occurs, or future periods.

3 Target Corporation website, http://investors.target.com/phoenix.zhtml?c=65828&p=irol-homeProfile&_ga=1.258843338.1706761340.1

487173918 (accessed Feb. 15, 2017). 4 Excerpts from Target Corporation 10-K filing, March 14, 2014. 5 The S&P 100 was a subset of the S&P 500, a market-capitalization-weighted index of shares of the 500 largest companies traded on both the New

York and American Stock Exchanges. 6 Chronicle of Philanthropy website: https://www.philanthropy.com/interactives/corporate-giving (accessed Feb. 15, 2017). 7 Excerpts from Target Corporation 10-K filing, March 14, 2014. 8 Excerpts from Target Corporation 10-K filing, March 14, 2014.

For the exclusive use of S. Chou, 2021.

This document is authorized for use only by Shih-Chu Chou in 2021.

Page 3 UV7357

For Data Breach-related exposures, we are unable to reasonably estimate a range of probable loss in excess of the recorded payment card network contingent losses. We believe that losses from the payment card networks in excess of the amounts recorded in fiscal 2013 are reasonably possible, and that these losses could be material to our results of operations in future periods, but we are unable to estimate a range of such reasonably possible losses. We are also unable to estimate a range of reasonably possible losses arising from Data Breach-related litigation and governmental investigations.

Finally, in the footnotes to the financial statements, Thrasher found the following: 9

Insurance coverage

To limit our exposure to Data Breach losses, we maintain $100 million of network-security insurance coverage, above a $10 million deductible. This coverage and certain other insurance coverage may reduce our exposure. We will pursue recoveries to the maximum extent available under the policies. As of February 1, 2014, we have recorded a $44 million receivable for costs we believe are reimbursable and probable of recovery under our insurance coverage, which partially offsets the $61 million of expense relating to the Data Breach.

After examining the 10-K, Thrasher was unsure how important the data breach was to Target. On one hand, Target seemed to have thoroughly explained the breach and possible consequences. On the other, it seemed as if very little was known at the time. He wondered how material the breach was given that Target’s net income was nearly $2 billion in 2013, it had $44.5 billion in assets, and it generated $6.5 billion in operating cash flows. Further, he also noticed that Target issued non-GAAP financial measures, which removed the effect of the data breach (see page 25 of the 10-K).

9 Excerpts from Target Corporation 10-K filing, March 14, 2014.

For the exclusive use of S. Chou, 2021.

This document is authorized for use only by Shih-Chu Chou in 2021.

Page 4 UV7357

Exhibit 1

Target Data Breach: Accounting for Contingent Liabilities

Target Corporation Share Price

Source: Created by author.

50

55

60

65

70

75

80

S h a re  P ri ce

Date

For the exclusive use of S. Chou, 2021.

This document is authorized for use only by Shih-Chu Chou in 2021.