TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.
Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations. In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for a number of data security initiatives, including researching the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs.
Framingham, Mass.-based TJX, which owns Marshalls and T.J. Maxx stores, also must meet new data security requirements, as specified by the states, and encourage the deployment of new technologies that address flaws in the nation's payment card system. The cost of the settlement already is covered by a reserve account created by the company in 2007.
"This settlement ensures that companies cannot write off risk of a data breach as a cost of doing business," Massachusetts Attorney General Martha Coakley, whose office took the lead on the investigation, said in a statement on Tuesday. "In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again."
TJX said in a statement that it settled with the attorneys general so as to put the breach behind it.
"TJX firmly believes that it did not violate any consumer protection or data security laws," the statement said. "The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cybersecurity measures that will benefit all consumers."
But Mary Monahan, research director at Javelin Strategy, told SCMagazineUS.com Tuesday that while TJX did not break any laws, it did fall out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) guidelines. According to court documents filed in the case by a group of bankers associations, TJX did not comply with nine of the 12 provisions in the standard. This enabled hackers to drop a "sniffer" program on the network to capture card numbers.
But Monahan said TJX is attempting to preserve its reputation by settling.
"I think they want to get [the breach] behind them," she said. "It's been going on for several years now. It makes sense that they would settle. The longer it keeps going on in the news, they'll never outlive it."
This marks at least the sixth settlement that TJX has announced. Last year, the merchant settled with the Federal Trade Commission over charges it lacked proper security controls. In 2007, TJX settled lawsuits brought by consumers and bankers groups. TJX also has settled with Visa and MasterCard.
In August 2008, federal authorities charged 11 people in connection with the breach, which was engineered by exploiting vulnerable wireless networks. In January, one of the defendants, Maksym Yastremskiy, 25, of Ukraine, was sentenced to 30 years in prison for heading up the sale of stolen TJX data.