Target finally breaks its silence

February 27, 2014

By all counts, the earnings release and follow-up earnings call that executives at Target Corp. did on Wednesday was a huge success. Despite a massive data breach that was revealed on Dec. 19 at the height of the December shopping frenzy and the ensuing fallout that saw Target’s fourth quarter profits drop by nearly 50%, the stock rose by 7% yesterday. As a result, much of the decline in the stock price that happened in the two months following the disclosure have now been erased.

That’s all been widely reported (see here and here, among others). What we found far more interesting was the 8-K that Target filed which included the earnings release that included some details that we don’t think many people paid much attention to. While we first covered this as a Red Flag yesterday, as we dug in a bit more, we thought it merited a bit more discussion.

First, as we noted yesterday, this was the first time since Dec. 19 that Target had filed anything with the SEC. While that kind of lengthy silence isn’t unusual for Target — last year, it also took an extended break from SEC filings between the filing of its third quarter Q on Nov. 21 and its all-important fourth quarter holiday earnings on Feb. 27 — this year, given the events, things were obviously quite different.

That meant that the 8-K that they eventually did wind up filing was going to be pretty interesting — information that most others seem to have ignored in favor of the more immediate earnings story. That’s because in the 8-K, Target updated its risk factors. While some were only mildly tweaked versions of risk factors included in the 10-K that the company filed on March 20, 2013, several were either changed significantly or were entirely new. To be sure, most of the new risk factors focused on the data breach, including a heavily rewritten item about keeping personal information about its customers secure.

As might be expected from a company like Target, the most important — and entirely new risk factor for the company — was the very last one, which we think seems more than a coincidence.  We think it’s worth paying close attention because the company warns this may very well have a material negative impact on the company’s operations and profitability. We know from reading way too many filings that companies are very careful about rolling out the “material impact” language. We’re including the entire risk factor — all 342 words — here because we think it’s important to read:

The 2013 data breach we experienced involved the theft of certain payment card and guest information through unauthorized access to our network. Our investigation of the matter is ongoing, and it is possible that we will identify additional information that was accessed or stolen, which could materially worsen the losses and reputational damage we have experienced. For example, when the intrusion was initially identified, we thought the information stolen was limited to payment card information, but later discovered that other guest information was also stolen.

A significant factor in determining our financial liability is whether our systems were in compliance with applicable payment card industry standards. While our systems were determined to be compliant by a third party in the fall of 2013, the standards are inherently subjective and the extent of compliance required is subject to differing views. Another factor in determining the amount of any liability is the extent of actual fraud losses experienced by affected card holders or other guests, which will not be known to us for several weeks or months. In addition, the governmental agencies investigating the 2013 data breach may seek to impose injunctive relief, which could materially increase our data security costs, adversely impact how we operate our network and collect and use guest information, and put us at a competitive disadvantage with other retailers.
Finally, we believe that the greatest risk to our business arising out of the 2013 data breach is the negative impact on our reputation and loss of confidence of our guests, as well as the possibility of decreased participation in our REDcards Rewards loyalty program which our internal analysis has indicated drives meaningful incremental sales. We experienced weaker than expected U.S. Segment sales after the announcement of the 2013 data breach, but are unable to determine whether there will be a long-term impact to our relationship with our guests or whether we will need to engage in significant promotional or other activities to regain their trust, which could have a material adverse impact on our results of operations or profitability.”

There’s a couple of important things going on here, beyond the material impact disclosure, which is obviously the most significant disclosure. That’s especially true given that during yesterday’s conference call, both Target’s CEO and CFO, refused to put a dollar figure on how much they’ve spent so far and how much more they’re likely to spend. During the call, executives talked about $44 million in insurance that they expected to receive, but CFO John Mulligan, in response to various analyst’s questions yesterday said that there would be “no estimate at this time” and that they would “not quantify the breach”.

As the company disclosed in a separate risk factor, yesterday, there are already more than 80 civil lawsuits that have been filed against Target. The company doesn’t provide additional detail on those suits, but did not that they’re not all individuals and shareholders. Some of the litigants are banks and other financial institutions. In that same risk factor, the company noted that it was also being investigated by “state and federal agencies, including State Attorneys General, the Federal Trade Commission and the Securities and Exchange Commission”. The company went on to say that all of those legal issues “may have an adverse effect on how we operate our business and our results of operations.”

There was also this addition to a prior risk factor about the company’s computer systems, where the company noted:

We continually make significant technology investments that will help maintain and update our existing computer systems. Implementing significant system changes increases the risk of computer system disruption. Additionally, the potential problems and interruptions associated with implementing technology initiatives could disrupt or reduce our operational efficiency, and could impact the guest experience and guest confidence.

Another risk factor about complying with federal, state, local and international laws included this important warning about: “any legislative or regulatory changes adopted in reaction to the recent retail-industry data breaches could increase or accelerate our compliance costs.” A day earlier, House Oversight and Government Reform Committee Chairman Darrell Issa sent a letter to Target CEO Gregg Steinhafel demanding additional documents, according to this published report.

Now, let’s put these various changes into some context. It is VERY rare for a company to make significant changes to its risk factors in an 8-K, especially just a month before it is expected to file its 10-K. It’s so rare, that when we checked, we could only find  11 other companies that had done this sort of thing dating back to 2001.

We suppose Target could have waited until it filed the 10-K to make these changes and doubt that most people would have caught them then. But by including this in the 8-K on the same day that the company released earnings, it pretty much guaranteed that it would be ignored.

We spend a lot of time looking at risk factors and we think there’s some pretty significant warnings in here. So while the market responded positively to the stock yesterday, we still think there’s a bit of pain left ahead.