News Stay informed about the latest enterprise technology news and product updates.

Banks agree to settle lawsuits against TJX

Several banking associations have agreed to settle lawsuits connected to the TJX data breach. Specific details of the deal are being kept under wraps.

Several banking associations reached an agreement with TJX Cos. Inc. Tuesday to settle lawsuits connected to the retail giant's massive data breach.

The question had been whether the lawsuits would ... impact the company. By the look of things, the impact on TJX will not be devastating.
Diana Kelley,
vice president and service directorThe Burton Group

The Massachusetts Bankers Association, Connecticut Bankers Association and Maine Association of Community Banks, along with Eagle Bank, Saugusbank, and Collinsville Savings Society announced the settlement in a public statement, though the specific financial terms of the deal are being kept under wraps.

As part of the deal, TJX will reimburse the banks for a negotiated portion of the costs and expenses, other than attorney's fees, that they incurred in the aftermath of the breach. The bankers associations are also recommending that their member banks accept an alternative recovery offer put forward by Visa. The associations said many of the objectives in their lawsuits have been met, paving the way for a settlement.

The agreement comes less than three weeks after TJX offered to pay Visa card issuers $40.9 million to cover their financial losses.

Burton Group analyst Diana Kelley said TJX appears to be coming out of the breach relatively unscathed, despite the media firestorm that has continued unabated through the past year.

"They've bounced back pretty quickly," she said in an interview Wednesday morning. "The customers have come back and the question had been whether the lawsuits would impact the company or devastatingly impact the company. By the look of things, the impact on TJX will not be devastating."

At the same time, she said, the banks appear to be getting what they need out of the deal to protect their own reputations. While the two sides aren't releasing the final details of the deal, Kelley believes TJX is paying out more than the $40-plus million first offered. "I heard something about the number being revised upward to perhaps $107 million," she said.

TJX data security breach:
TJX data breach costs could be settled in court appeal: As the massive data breach at the TJX Cos. continues to play itself out in court, more details are emerging as the case shifts to how banks can recoup the costs of reissuing credit cards.

TJX offers $40.9 million breach settlement: Banks have until Dec. 19 to decide whether to accept TJX's $40.9 million settlement offer to cover costs connected to the retailer's massive data breach.

Data breach costs soar: A Ponemon Institute study indicates the costs associated with data breaches have soared and will continue to skyrocket unless companies do more to prevent them in the first place.

Daniel J. Forte, president of the Massachusetts Bankers Association, acknowledged that Visa's and TJX's recent announcement of an alternative recovery offer was also significant. Through that offer, he said, TJX has agreed to fund up to $40.9 million in payments to Visa-issuing banks that took a financial hit as a result of the data breach. The alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms, he said.

"For our member banks, the protection of customer data has always been of paramount importance," Daniel J. Forte, president of the Massachusetts Bankers Association, said in the statement. "We are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor."

The banks have claimed that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.

In a report Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.

At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.

TJX has maintained that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses outside a couple of TJX stores.

Burton Group's Kelley hopes the final lesson will be that no retailer is immune to the kind of breach TJX suffered, and that it will lead to merchants storing a lot less credit card data.

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.