The price tag on the largest database breach on record moved higherFriday with TJX agreeing to pay nearly US$41 million to settlewith credit card companies and banks that were forced to issue new cards to customers of the retailer to prevent or recover fraudulent charges.
TJX will pay $40.9 million through Visa and Visa USA to cover the costs associated with issuing new cards and other means of ensuring that Visa cardholders whose accounts may have been compromised in the breach did not become victims of fraud and identity theft.
The money will actually go to banks and other institutions that issue Visa cards, with the settlement only taking effect if 80 percent of those banks accept the offer by Dec. 19. TJX is also settling with its credit card processor, Fifth Third Bank, with the agreement, according to reports.
A Fair Resolution?
TJX — which operates 2,500 stores nationwide with the Bob’s, Marshall’s, HomeGoods, AJ Wright and TJ Maxx brands — has said that more than 45 million customer accounts were exposed during an ongoing breach discovered late in 2006. Recent court filings by banks and others suing TJX have claimed as many as 100 million credit card numbers may have actually been exposed.
The settlement “provides a fair resolution,” said TJX CEO Carol Meyrowitz.
“We have learned a great deal about the risks of cyber-attacks, and have responded aggressively to take our own security to even higher levels,” she said. “We also have learned about the heightened security risks that exist across the entire U.S. retail and banking industries as a result of today’s high-tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal.”
More to Come?
The costs of the settlement were factored into the $118 million in charges TJX recorded against second-quarter earnings, the company said. It has also set aside an additional $21 million to cover breach-related costs it expects to incur during fiscal year 2009.
TJX is still awaiting final court approval of a direct settlement with consumers who joined a class action suit. An initial proposal to hold a one-day sale across its stores has come under heavy fire, with Massachusetts Attorney General Martha Coakley and more than two dozen other attorneys general urging the judges overseeing that case to reject the offer. The sale would not be a punishment to TJX, the attorneys general said, but would likely in fact drive sales and become a benefit in the end.
The Visa agreement, in addition to paying banks for the costs tied to issuing new credit card accounts, calls for a fine Visa issued against TJX to be rescinded. Visa also agreed to restore lower interchange fees charged on each transaction processed at a TJX store.
Despite the negative publicity TJX has suffered, the company’s stock price was not significantly impacted and has not apparently lost any customer loyalty as a result, Rohyt Belani, a managing partner with security consulting firm Intrepidus Group told the E-Commerce Times.
While some lawmakers have pushed a national database breach law that would include direct fines to companies that allow personal data to be leaked, some have argued that such penalties are unnecessary because companies that suffer breaches will pay in other ways, such as lost market value or customer defections. The fact that TJX has not may suggest fines are needed to “ensure that organizations that are not diligent about security actually take a hit,” Belani added.
Retailers may also need to “look beyond the Visa-mandated PCI (Payment Card Industry) standard for security,” he said. “This shows that is not all-encompassing.”
Another key lesson from the TJX case may be that businesses have to do more than invest in security solutions, said Cliff Pollan, the chief executive officer of data auditing solutions firm Lumigent.
“Companies need to demonstrate that proper policies and procedures are in place, are being adhered to and that they are in fact making their data more secure,” Pollan told the E-Commerce Times. “Companies need to look inside and understand what is happening at the most basic level, their databases, and then put policies and controls in place to automate those procedures. They have to know who did what to what data and when.”
“The technology exists,” he added. “Companies just have to accept that their database is too valuable to take chances.”
Some say TJX is being let off the hook too easily, however.
‘The Coffee Fund’
“The top takeaway is that big business will continue to get away with a ‘slap on the wrist’ when failing to secure data,” Chris Farrow, director of security and compliance firm Configuresoft’s Center for Policy & Compliance, told the E-Commerce Times. “TJX is a $13 billion company by market share and $4 billion per quarter in revenue. Forty-one million dollars is the coffee fund.”
Citing reports that internal e-mails showed TJX knew it had security weaknesses in its wireless network, Farrow said the net result will be more ammunition for those calling for regulators to step in.
“Incidents like TJX are just fueling the engine for the federal government to step in,” he added.