TJX, Visa Agree to $40.9 Million Payout for Data Breach

Pending Deal Also Calls for TJX to Promote PCI Standard
TJX, Visa Agree to $40.9 Million Payout for Data Breach
The TJX Companies, Inc. (NYSE: TJX) and Visa have announced that TJX has agreed to fund up to $40.9 million for payments to certain financial institutions following the much-publicized data breach of its computer systems.

The proposed payout is a result of news announced earlier this year, when Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in the data breach, going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. ( TJX Worse Than Thought.)

Under the agreement between TJX and Visa, an alternative recovery offer will be made to eligible U.S. Visa issuers that issued payment cards potentially affected by TJX's previously announced unauthorized computer intrusions.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The settlement will only be completed if 80% of the card issuers accept the alternative recovery offer by December 19. If they accept, payment will be made by December 27.

Under the terms of the agreement, TJX, the parent of discount chains including TJ Maxx and Marshalls, said financial institutions that issued Visa payment cards affected by the computer breach could receive payments in return for agreeing not to sue or take other steps against TJX and banks such as Fifth Third Bancorp of Ohio, which process TJX's transactions.

Visa would also suspend certain fines, and TJX will agree "to serve as a spokesperson'' in support of new Payment Card Industry (PCI) data security standards.

"We believe this settlement agreement provides a fair resolution of these issues," TJX's President and Chief Executive Carol Meyrowitz said in a statement. "At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels. We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data."

This proposed settlement comes on the heels of a US District Court judge last week denying an effort by a group of bankers and banking associations who filed a class action suit against TJX to recoup losses suffered because of losses and costs related to reissuing credit and debit cards. (Read: New England Banks File Class Action Suit Against Retailer TJX)

The Massachusetts Bankers Association (MBA) calls the court's decision "only one step in a long, complicated case."

The MBA, which represents 205 banks in the state, is a co-plaintiff in an ongoing lawsuit against TJX filed in April. Others participating in the suit are the Connecticut Bankers Association and the Maine Association of Community Banks, as well as several individual banks. All of these entities were hoping to get the courts to certify them as members of a class.

"We are looking forward to the next hearing date on Dec. 11, when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX," said the statement issued by the MBA.

The banking plaintiffs in the class action suit have not set a dollar figure on the total damages sought in the suit. Industry analysts estimate the total costs to TJX from $500 million to as much as $1 billion.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network