On Feb. 5, the Rhode Island attorney generals office confirmed that it is launching a formal investigation of TJXs data breach, including what caused it, why it wasnt detected more quickly and why the announcement of it was delayed.
The investigation—technically, a Civil Investigative Demand on the authority of both Rhode Islands Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005—will likely begin in earnest with its first meeting with TJX officials on Feb. 12 at the attorney generals office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe.
Both Murray and the departments public information officer, Michael Healey, said the next stages will be dictated by the facts uncovered during the probe. Typically, though, state AG offices seek compensation for state residents who are trying to defend themselves against identity theft, including credit report costs and possibly money to pay for help processing such claims.
But if conduct established in the probe is severe enough, more substantial options—including a civil lawsuit and possibly criminal charges—could be considered. One key concern, Murray said, is the monthlong delay between the breachs discovery and when it was announced. Rhode Island law requires that impacted consumers be notified “immediately.” Unfortunately, Murray said, the statute does not define “immediately.”
Although no announcements have been made, the national nature of TJXs chain makes it likely that other states may want to conduct their own probes.
The Rhode Island announcement was just the latest in a string of bad news for TJX since it announced in mid-January that it had exposed its customers credit card, debit card and other personal information to unspecified intruders. TJX has been criticized for revealing virtually no specifics about what happened, when it happened and how it had gone undetected from May 2006 through mid-December 2006.
There have been at least two class-action lawsuits filed plus more lawsuit threats from banks, as well as a congressional request for a probe by the Federal Trade Commission.
That kind of uncertainty played a large role in prompting financial analyst firm CL King & Associates to downgrade TJX to “neutral” from “strong buy.”
“Based on our diminished EPS outlook for FY07, we believe an investment in TJX is likely to be dead money at this point,” said the firms research advisory.
Much of the firms concerns are about whatever the next shoes are going to drop, especially involving the cost of dealing with the unknown. “Regarding FY07 expenses related to the data breach, the company stated it is not yet able to reasonably estimate the losses it may incur. Management stated it is unlikely to be able to reasonably estimate such losses at the time earnings are released in FY07,” the advisory said. “The ongoing expense issue includes legal costs, exposure to credit and debit card companies and banks, related fees and expenses, and other possible liabilities.”
Another piece of bad news came Feb. 5 from a report in the Chosun Ilbo, a major Korean newspaper. It reported that the “private data of around 10,000 Koreans who use credit cards associated with Visa, MasterCard and American Express was stolen” in the TJX incident. It also pegged the size of the full data breach as “40 million card users” and attributed it to “the credit card industry.” Thus far, TJX has not specified the number of victims.
Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com.