By Ross Kerber
September 22, 2007
TJX Cos. said that it reached a tentative settlement with customers who
were victims of the largest security breach of personal data ever
reported and that it would provide store vouchers to some people whose
data were compromised and a three-day sale for all customers.
The deal in the class-action lawsuit, disclosed by TJX of Framingham
late yesterday, still requires court approval and would not resolve
claims TJX faces from banks that had to reissue many credit and debit
cards compromised in the breach. TJX is the parent of popular stores
such as TJ Maxx and Marshalls.
At least 45.7 million credit and debit card numbers were stolen from TJX
by hackers who accessed the company's computer systems. TJX has said
about 75 percent of the compromised cards were expired or had data in
the magnetic strip masked.
The settlement offers shoppers more generous terms than TJX had
previously provided and could resolve uncertainty facing the company
over the intrusion, in which hackers were able to penetrate its computer
systems for more than a year until the breach was detected in December.
"We deeply regret any inconvenience our customers may have experienced
as a result of the criminal attack on our computer system," TJX chief
executive Carol Meyrowitz said in a statement. "Importantly, we truly
appreciate our customers' continued patronage. TJX has been working
diligently to reach a settlement that offers a good resolution for our
Attorneys for the consumers did not return messages yesterday evening.
Archie C. Lamb Jr., the Birmingham, Ala., lawyer who is lead counsel for
the banks in the case, said he hadn't yet been able to review the
settlement to discuss it in detail.
Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego
consumer group, said she frowns on discounts to settle breach lawsuits
since they tend to drive up business and so "aren't an effective
penalty." But she said TJX deserves credit for recognizing that breaches
can cost customers many hours to take steps such as canceling credit
Specifically TJX said it would offer store vouchers worth around $30 to
certain customers who could show they lost time or money to deal with
the breach, valuing their time at $10 per hour. TJX also said it will
hold a three-day "customer appreciation" sale featuring 15 percent
discounts in its stores in the United States and Canada.
Also, TJX previously had offered one year of credit monitoring and
identity theft insurance to customers whose Social Security numbers were
believed stolen. The tentative deal would also offer three years of
credit monitoring and several years of identity theft insurance to about
455,000 customers who had returned merchandise to TJX without receipts,
making them more vulnerable to the breach. In addition, TJX now will
offer reimbursements to people who had to replace compromised driver's
TJX did not disclose the exact cost of the proposed settlement but said
it was within the parameters of its previous estimates, which put total
costs at $256 million.
TJX said the settlement would cover all customer class-action suits in
the United States, Puerto Rico, and Canada with respect to the
intrusions. A consolidated suit in US District Court in Boston had
accused TJX of negligence, breach of contract, and other violations in
connection with its security practices.
In its statement TJX said it denies the claims and allegations, but it
"has concluded that further legal activity would be time consuming and
expensive, making it desirable that the actions be settled."
TJX spokeswoman Sherry Lang said the company doesn't expect a court
ruling on the settlement until the spring.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com