TJX Cos. Inc. is offering to pay Visa card issuers $40.9 million to compensate for costs connected to the massive data security breach the retailer first disclosed in January. The move, designed to save the company many millions of dollars in lawsuit damages, comes on the heels of a decision in U.S. District Court in Boston to reject the class-action status banking associations sought in their lawsuits against the company.
In a statement released Friday, Framingham, Mass.-based TJX said it will pay up to $40.9 million to fund the "alternative recovery" program, which requires a certain level of participation by issuers for the offer to be finalized. Visa Inc. is supporting the proposal.
"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," Ellen Richey, head of global risk management for Visa Inc., said in a statement. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders -- merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."
All U.S. Visa card issuers who were forced to issue new cards and address fraudulent activity are eligible for financial compensation this calendar year if they participate in the program. Banks have until Dec. 19 to decide whether to accept the offer.
The offer was made within hours of the Boston court's decision not to grant class-action status for lawsuits a number of banking associations have brought against TJX. In his ruling, Judge William G. Young expressed "serious doubts" about whether the TJX litigation fit the proper parameters of class-action status. Furthermore, he wrote, "This Court is uncertain that the class definition set forth in the amended complaints is proper because … in many instances it will not be obvious that an issuing bank's injuries occurred 'as a result of the data breaches' as opposed to an unrelated fraud."
Nevertheless, the judge encouraged the plaintiffs to take their claims to Massachusetts Superior Court's business law division, and said his decision on class-action status could change after a scheduled Dec. 11 hearing on a separate motion as to why the banks are entitled to recover funds.
The Massachusetts Bankers Association said in a statement on its Web site that it's studying the decision and that "this is only one step in a long, complicated case and we are looking forward to the next hearing date on Dec. 11 when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX."
The banks that are suing TJX claim that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.
In a report Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.
At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
TJX has maintained that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses outside a couple of TJX stores.