TJX Settles with 6 of 7 Banks
Visa Issuers Also Approve $40.9 Million Payout TJX Companies, Inc. (NYSE: TJX) has settled with all but one of the seven banks and associations that sued in a putative class action as a result of the intrusions into TJX’s computer system. (See related story: New England Banks File Class Action Suit Against Retailer TJX). When the data breach was first announced in January 2007, more than 45 million credit cards were thought to be involved. Now, as the case has unfolded, the total is believed to be closer to 100 million credit cards.Under the agreement, the state banking associations and other plaintiff banks dismiss all claims against TJX. The one remaining bank, Amerifirst Bank, based in Union Springs, AL, declined to take part in a deal that included state associations representing hundreds of banks in Massachusetts, Connecticut and Maine, as well as Massachusetts-based Eagle Bank and Saugusbank, and Connecticut-based Collinsville Savings Society.
See Also: Gartner Market Guide for DFIR Retainer Services
Although both sides said the settlement total would be confidential, TJX said the costs were covered by a $107 million reserve it set aside against its second-quarter earnings. TJX said the $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards. (See related story: TJX, Visa Agree to $40.9 Million Payout for Data Breach).
This past Thursday, TJC announced it won support from the Visa card-issuing banks to move forward with pay-out plans. The Nov. 30 agreement needed approval from issuers of at least 80 percent of the Visa accounts potentially affected. TJX said it got approval from more than 95 percent.
Between the two agreements and costs of about $125 million to boost security, “TJX did a good job of estimating the damages they would have to pay for this breach and they’re putting this behind them,†says Avivah Litan, an information security analyst with Gartner Inc.
Lessons Learned?
TJX, based in Framingham, MA has $18 billion in annual revenue and 2,500 stores including T.J. Maxx, HomeGoods and Marshalls, also faces pending state and federal investigations into the breach, which could result in fines. It has already borne the brunt of a report by Canada’s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC) (TJX Report: Wake-up Call for All Institutions)
According to Litan, TJX will survive this data breach, which is thought to be the largest in history. “They certainly have beefed up their security. It was a very costly mistake for them.â€
Despite a reported drop of 57% in second quarter profits for TJX in 2007, “They survived intact, their sales are stronger than ever, and their share price has held up,†Litan says. “It hasn’t made a big impact in the long run on their profitability or store revenues.â€
Carol Meyrowitz, President and Chief Executive Officer of The TJX Companies, Inc., says, “Our experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, to better serve and protect customers.â€
The settlement reimburses the banks for a negotiated portion of the banks’ costs and expenses, but excludes attorney fees. The settlement comes after December 12 ruling where the banks suffered a setback. U.S. District Judge William Young ruled the banks could not pursue their claims as a class, and instead would have to individually sue TJX to recover costs.
Banks: No Hollow Victory
The bank associations say they believe that many of the objectives of the litigation have been achieved through the developments leading up to this settlement. “For our member banks, the protection of customer data has always been of paramount importance,†says Daniel Forte, president, of the Massachusetts Bankers Association. “We are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor.â€
“Over the past six months,†adds Forte, “validated compliance for the large, level–one retailers has improved from approximately 40 percent to 70 percent, and we believe our case was highly influential in achieving this progress. This data breach and the ensuing litigation have clearly initiated an important nationwide dialogue on the importance of improving the security of the U.S. payment card system.â€
The associations also note the positive impact this case had in explaining the complicated nature of the card payment system to the wider audience. “It was an important education tool for the general public that the banks were not the source of the data breach,†says Forte.
Forte adds, “Visa’s and TJX's recent announcement of an Alternative Recovery Offer is also significant. Indeed, in banking terms, it is historic and precedent setting. Through that offer, TJX has agreed to fund up to $40.9 million in payments to Visa issuing banks which may have suffered damages as a result of the data breach. This alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms.â€
While other settlements still wait to be heard in this data breach case, Litan concludes, “The message for other companies is: If you get caught up in a data breach, it’s costly, but nothing you can’t survive from if you’re a large company.â€