Breach, Compliance Management, Threat Management, Data Security

TJX settles with banks over data breach

TJX and three bankers groups have settled a lawsuit over costs related to the discount retailer's record data breach that may have exposed as many as 94 million accounts, the parties announced Tuesday.


The Framingham, Mass.-based TJX, which owns Marshalls and T.J. Maxx, reached an agreement with the Massachusetts and Connecticut bankers associations and the Maine Association of Community Banks, in addition to three community banks in those states.


Terms of the settlement were not disclosed, but TJX said its financial burden will be covered as part of the $256 million it has already budgeted for the breach, revealed in January.


The plaintiffs had sued TJX to cover fees, such as fraud monitoring and replacement cards, which can cost up to $25 each.


But the lawsuit became more about getting the word out on the need to implement data security measures to safeguard against hacker heists, Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, told today.


“The public is now aware that the banks are not the source of the data breach, TJX is now PCI compliant, and protecting consumer data has increased across retail firms,” he said. “Our number one motivation was to try and protect consumers in the short and the long term, and we think we've moved well in that direction.”


Spitzer cited rising numbers of companies achieving Payment Card Industry (PCI) compliance, and he said he believes the TJX breach and the resulting lawsuit contributed to that.


In October, Visa announced that 65 percent of level-one merchants and 43 percent of level-two merchants are compliant, up from 36 percent and 15 percent at the start of the year, respectively.


As part of the latest agreement, the three bankers associations recommend their member banks that issue Visa cards should accept TJX's $41 million settlement with Visa, a separate agreement announced on Nov. 30.


Mary Monahan, partner and analyst at Javelin Strategy & Research, said the Visa agreement and a number of other factors likely contributed to the latest settlement, which some analysts had predicted might set TJX back several hundred million dollars more.


The suit was dealt a blow when a judge transferred the case to a Massachusetts state court, thereby denying the plaintiffs the right to sue as a class under federal jurisdiction, Monahan said. In addition, TJX may be spared extreme penalties and court judgments because it was just one piece of a systemic security problem among merchants.


“In reality, when you look at what was going on at the time, most of the retailers were pretty similar to TJX,” Monahan said. “Their security was pretty typical for a retailer, and now there's no excuse anymore if this happens. But back when it did happen, there was less of a public knowledge about the security problems.”


AmeriFirst Bank, based in Alabama, was the only plaintiff not to agree to the settlement.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.