TJX Settles with 6 of 7 BanksVisa Issuers Also Approve $40.9 Million Payout TJX Companies, Inc. (NYSE: TJX) has settled with all but one of the seven banks and associations that sued in a putative class action as a result of the intrusions into TJXâ€™s computer system. (See related story: New England Banks File Class Action Suit Against Retailer TJX). When the data breach was first announced in January 2007, more than 45 million credit cards were thought to be involved. Now, as the case has unfolded, the total is believed to be closer to 100 million credit cards.
Under the agreement, the state banking associations and other plaintiff banks dismiss all claims against TJX. The one remaining bank, Amerifirst Bank, based in Union Springs, AL, declined to take part in a deal that included state associations representing hundreds of banks in Massachusetts, Connecticut and Maine, as well as Massachusetts-based Eagle Bank and Saugusbank, and Connecticut-based Collinsville Savings Society.
Although both sides said the settlement total would be confidential, TJX said the costs were covered by a $107 million reserve it set aside against its second-quarter earnings. TJX said the $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards. (See related story: TJX, Visa Agree to $40.9 Million Payout for Data Breach).
This past Thursday, TJC announced it won support from the Visa card-issuing banks to move forward with pay-out plans. The Nov. 30 agreement needed approval from issuers of at least 80 percent of the Visa accounts potentially affected. TJX said it got approval from more than 95 percent.
Between the two agreements and costs of about $125 million to boost security, â€œTJX did a good job of estimating the damages they would have to pay for this breach and theyâ€™re putting this behind them,â€ says Avivah Litan, an information security analyst with Gartner Inc.
TJX, based in Framingham, MA has $18 billion in annual revenue and 2,500 stores including T.J. Maxx, HomeGoods and Marshalls, also faces pending state and federal investigations into the breach, which could result in fines. It has already borne the brunt of a report by Canadaâ€™s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC) (TJX Report: Wake-up Call for All Institutions)
According to Litan, TJX will survive this data breach, which is thought to be the largest in history. â€œThey certainly have beefed up their security. It was a very costly mistake for them.â€
Despite a reported drop of 57% in second quarter profits for TJX in 2007, â€œThey survived intact, their sales are stronger than ever, and their share price has held up,â€ Litan says. â€œIt hasnâ€™t made a big impact in the long run on their profitability or store revenues.â€
Carol Meyrowitz, President and Chief Executive Officer of The TJX Companies, Inc., says, â€œOur experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, to better serve and protect customers.â€
The settlement reimburses the banks for a negotiated portion of the banksâ€™ costs and expenses, but excludes attorney fees. The settlement comes after December 12 ruling where the banks suffered a setback. U.S. District Judge William Young ruled the banks could not pursue their claims as a class, and instead would have to individually sue TJX to recover costs.
Banks: No Hollow Victory
The bank associations say they believe that many of the objectives of the litigation have been achieved through the developments leading up to this settlement. â€œFor our member banks, the protection of customer data has always been of paramount importance,â€ says Daniel Forte, president, of the Massachusetts Bankers Association. â€œWe are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor.â€
â€œOver the past six months,â€ adds Forte, â€œvalidated compliance for the large, levelâ€“one retailers has improved from approximately 40 percent to 70 percent, and we believe our case was highly influential in achieving this progress. This data breach and the ensuing litigation have clearly initiated an important nationwide dialogue on the importance of improving the security of the U.S. payment card system.â€
The associations also note the positive impact this case had in explaining the complicated nature of the card payment system to the wider audience. â€œIt was an important education tool for the general public that the banks were not the source of the data breach,â€ says Forte.
Forte adds, â€œVisaâ€™s and TJX's recent announcement of an Alternative Recovery Offer is also significant. Indeed, in banking terms, it is historic and precedent setting. Through that offer, TJX has agreed to fund up to $40.9 million in payments to Visa issuing banks which may have suffered damages as a result of the data breach. This alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms.â€
While other settlements still wait to be heard in this data breach case, Litan concludes, â€œThe message for other companies is: If you get caught up in a data breach, itâ€™s costly, but nothing you canâ€™t survive from if youâ€™re a large company.â€