TJX, Visa Agree to $40.9 Million Payout for Data BreachPending Deal Also Calls for TJX to Promote PCI Standard
The proposed payout is a result of news announced earlier this year, when Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in the data breach, going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. ( TJX Worse Than Thought.)
Under the agreement between TJX and Visa, an alternative recovery offer will be made to eligible U.S. Visa issuers that issued payment cards potentially affected by TJX's previously announced unauthorized computer intrusions.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The settlement will only be completed if 80% of the card issuers accept the alternative recovery offer by December 19. If they accept, payment will be made by December 27.
Under the terms of the agreement, TJX, the parent of discount chains including TJ Maxx and Marshalls, said financial institutions that issued Visa payment cards affected by the computer breach could receive payments in return for agreeing not to sue or take other steps against TJX and banks such as Fifth Third Bancorp of Ohio, which process TJX's transactions.
Visa would also suspend certain fines, and TJX will agree "to serve as a spokesperson'' in support of new Payment Card Industry (PCI) data security standards.
"We believe this settlement agreement provides a fair resolution of these issues," TJX's President and Chief Executive Carol Meyrowitz said in a statement. "At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels. We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data."
This proposed settlement comes on the heels of a US District Court judge last week denying an effort by a group of bankers and banking associations who filed a class action suit against TJX to recoup losses suffered because of losses and costs related to reissuing credit and debit cards. (Read: New England Banks File Class Action Suit Against Retailer TJX)
The Massachusetts Bankers Association (MBA) calls the court's decision "only one step in a long, complicated case."
The MBA, which represents 205 banks in the state, is a co-plaintiff in an ongoing lawsuit against TJX filed in April. Others participating in the suit are the Connecticut Bankers Association and the Maine Association of Community Banks, as well as several individual banks. All of these entities were hoping to get the courts to certify them as members of a class.
"We are looking forward to the next hearing date on Dec. 11, when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX," said the statement issued by the MBA.
The banking plaintiffs in the class action suit have not set a dollar figure on the total damages sought in the suit. Industry analysts estimate the total costs to TJX from $500 million to as much as $1 billion.