By Ross Kerber
December 18, 2007
TJX Cos. and New England banks said today they have agreed to settle a
high-profile lawsuit over payment card security practices in the wake of
the record-setting data breach at the Framingham retailer that
compromised as many as 100 million accounts.
TJX, the parent of discount retail chains including T.J. Maxx and
Marshalls, will pay community banks and trade groups in Massachusetts,
Connecticut, and Maine a portion of their legal expenses.
More specifics weren't disclosed, but the deal won't add to the $256
million in total spending TJX previously had budgeted to deal with the
breach, a spokeswoman said today. In addition to settling with the
banks, the figure is meant to cover previous settlements with payment
card company Visa International Inc. for up to $40.9 million in costs,
and with a class of consumers.
TJX still faces claims from an Alabama bank and investigations by
federal and state officials over the breach. But Mary Monahan, partner
of Javelin Strategy & Research in California, said the deal amounts to a
relative win for TJX and one that was no surprise after a decision by a
federal district court judge made it harder for the banks to join
together to sue TJX as a class.
"Once that happened, it became too expensive for the banks to continue
on this route," she said.
Both sides said they were pleased with the outcome. Banks led by the
Massachusetts Bankers Association had filed their suit in the spring as
the extent of the data breach became clear, seeking to cover costs such
as reissuing compromised cards.
TJX found illicit software on its systems at the end of last year, and
Canadian privacy officials later tied the intrusion to a weakness in the
company's wireless security systems dating back as far as 2005.
Although officials have won convictions against individuals in Florida
and elsewhere for misusing the stolen card numbers to buy goods, to date
no individual has been charged with the intrusion itself.
The bankers alleged that TJX was negligent in not maintaining stricter
data security, and unearthed various documents that showed the company
wasn't meeting industry security standards and had caused Visa to issue
TJX had fought back, however, arguing its security was similar to other
retailers and noting that only recently have a majority of large
merchants met payment card security rules.
As part of today's deal, the bankers are recommending their members
accept the repayments Visa is offering under the terms of its deal with
In statements today both sides said they hope the deal with improve
overall security. "The TJX experience underscores broader challenges
facing the US payment card system that require urgent action," said
Carol Meyrowitz, TJX chief executive, in a statement. Daniel Forte,
president of the Massachusetts Bankers Association, said the case was
worth pursuing to show weaknesses in the payment system.
"This data breach and the ensuing litigation have clearly initiated an
important nationwide dialogue on the importance of improving the
security of the US payment card system," he said.
Copyright 2007 Globe Newspaper Company.
Visit InfoSec News