TJX Settlement Leaves the Bigger Card-Security Issues Unsettled

Off-price retailer TJX Cos. Inc. late Friday announced it had settled the consumer class-action lawsuits it faced in the wake of a security breach that compromised nearly 46 million payment card records in its computers, but big-picture issues facing card networks, processors, and merchants about the best ways to enhance card security and who should be responsible for it are far from settled. The tentative settlement, which includes Fifth Third Bancorp, TJX's U.S. merchant acquirer, includes free credit-report monitoring and identity-theft insurance for some customers, $30 vouchers for others, and a three-day “customer-appreciation” event featuring 15% price cuts at an unspecified future date. Those provisions drew fire from two analysts contacted by Digital Transactions News. “They're getting off pretty easy,” says Larry Ponemon, chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based privacy and security think tank. “It seems ludicrous to me. The cost of someone's privacy can be reduced to a voucher for $30?” Avivah Litan, a vice president at Stamford, Conn.-based research firm Gartner Inc. who has followed the breach since it was announced in early January, calls credit-report monitoring a “knee-jerk reaction” other companies have taken in the wake of computer breaches. It does nothing to solve the source of the problem or prevent some types of potential fraud, she argues. “Basically the winner in this case is the credit bureaus,” says Litan, who has long advocated that the card networks' Payment Card Industry (PCI) standards place too much of the security burden and expense on merchants. Financial institutions should consider wider use of one-time PINs and other technologies to enhance security, she says. A spokesperson for Framingham, Mass.-based TJX, owner of the T.J. Maxx, Marshalls, and other chains, did not return a Digital Transactions News call and e-mail. But in Friday's news release, TJX president and chief executive Carol Meyrowitz said, “We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system. Importantly, we truly appreciate our customers' continued patronage. TJX has been working diligently to reach a settlement that offers a good resolution for our customers. This settlement agreement addresses the different ways customers have told us they have been impacted by the intrusion(s) … We believe that the terms of this settlement are beneficial to our customers.” TJX denied the lawsuits' claims, but said defending itself would be time-consuming and expensive. The company didn't disclose the settlement's cost, but said estimated expenses were reflected in a $107 million after-tax reserve for potential losses recorded in its fiscal 2008 second quarter and previously reported, estimated non-cash, after-tax charges of $21 million to be taken in fiscal 2009. In all, TJX had spent $215.9 million in the 26 weeks ended July 28 on the breach, according to its latest quarterly report, and its expected future charges mean total costs will exceed $236 million. Gartner's Litan estimates TJX has spent about $125 million before taxes on enhanced computer security. Curiously, even though a TJX filing with the Securities and Exchange Commission says Fifth Third also entered into the settlement agreement, the bank is not making a financial contribution to any settlement fund. “We will not be contributing anything,” a spokesperson for Cincinnati-based Fifth Third says, refusing to comment further. The settlement, which is subject to court approval and other conditions, affects class-action lawsuits in the U.S., Canada, and Puerto Rico that had been filed on behalf of consumers and consolidated in U.S. District Court in Boston. It doesn't cover lawsuits filed by others such as financial institutions that reissued cards. Major terms of the settlement, according to the release and TJX's SEC filing, include: –Some 455,000 customers who returned merchandise without a receipt and to whom TJX sent letters reporting that their drivers' license or other identification information may have been compromised, will be offered three years of free credit monitoring along with identity-theft insurance coverage (two years for those who previously accepted a similar TJX offer); –TJX will reimburse customers for the documented cost of certain drivers' license replacements and, if their license or other ID numbers were the same as their Social Security number, for certain losses from identity theft; –Customers who show they shopped at TJX stores in the U.S., Canada, and Puerto Rico (excluding the Bob's Stores chain) during relevant periods and incurred costs as a result of the breach will be eligible for $30 vouchers, though their value could be reduced if the total value of claims filed exceeds $7 million. Depending on what documentation they have, some customers will be eligible for a second $30 voucher. TJX is valuing customers' time dealing with breach-related matters at $10 per hour; –TJX will hold a one-time, three-day customer-appreciation event in which prices at all T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will be reduced by 15%. The event will be advertised and open to all customers, but is not expected to occur until 2008 at the earliest. The settlement is contingent on completion of an evaluation by the plaintiffs' independent security expert of TJX's computer-security enhancements, and that expert's acceptance of the enhancements. Various governmental authorities also are investigating the breach. Although police have made a few arrests in the case, the actual perpetrators of the breach have yet to be found. In an August survey of TJX customers, Gartner estimated that 2.4% of TJX customers actually had account information stolen, resulting in estimated losses?include reissuance costs by their bank or credit unions?of $23.5 million.