Several banking associations reached an agreement with TJX Cos. Inc. Tuesday to settle lawsuits connected to the retail giant's massive data breach.
The Massachusetts Bankers Association, Connecticut Bankers Association and Maine Association of Community Banks, along with Eagle Bank, Saugusbank, and Collinsville Savings Society announced the settlement in a public statement, though the specific financial terms of the deal are being kept under wraps.
As part of the deal, TJX will reimburse the banks for a negotiated portion of the costs and expenses, other than attorney's fees, that they incurred in the aftermath of the breach. The bankers associations are also recommending that their member banks accept an alternative recovery offer put forward by Visa. The associations said many of the objectives in their lawsuits have been met, paving the way for a settlement.
The agreement comes less than three weeks after TJX offered to pay Visa card issuers $40.9 million to cover their financial losses.
Burton Group analyst Diana Kelley said TJX appears to be coming out of the breach relatively unscathed, despite the media firestorm that has continued unabated through the past year.
"They've bounced back pretty quickly," she said in an interview Wednesday morning. "The customers have come back and the question had been whether the lawsuits would impact the company or devastatingly impact the company. By the look of things, the impact on TJX will not be devastating."
At the same time, she said, the banks appear to be getting what they need out of the deal to protect their own reputations. While the two sides aren't releasing the final details of the deal, Kelley believes TJX is paying out more than the $40-plus million first offered. "I heard something about the number being revised upward to perhaps $107 million," she said.
Daniel J. Forte, president of the Massachusetts Bankers Association, acknowledged that Visa's and TJX's recent announcement of an alternative recovery offer was also significant. Through that offer, he said, TJX has agreed to fund up to $40.9 million in payments to Visa-issuing banks that took a financial hit as a result of the data breach. The alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms, he said.
"For our member banks, the protection of customer data has always been of paramount importance," Daniel J. Forte, president of the Massachusetts Bankers Association, said in the statement. "We are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor."
The banks have claimed that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.
In a report Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.
At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
TJX has maintained that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses outside a couple of TJX stores.
Burton Group's Kelley hopes the final lesson will be that no retailer is immune to the kind of breach TJX suffered, and that it will lead to merchants storing a lot less credit card data.