When TJX announced Sept. 21 that it had worked out a settlement for all of the consumer lawsuits that had been filed against it, it provided an anticlimactic ending to much of this data breach saga.
But in many ways, this resolution—with a settlement offer that will cause TJX very little material pain—was inevitable. Despite the background of the most massive data breach in retail history, where credit card data of some 46 million consumers fell into unauthorized hands, TJX had virtually nothing to fear from the U.S. judicial system.
The area of data breaches with the goal of identity theft is a relatively unexplored one for both federal legislation and U.S. courts, with little legal precedent to help. With no help there, attorneys representing the consumers whose data was stolen had very little to work with.
Before lawyers could start to build a case based on TJXs security procedures and make the argument that the $17 billion retailer was somehow criminally negligent, they had to overcome a much more daunting obstacle: damages.
This is the same issue that has protected retailers in recent cases involving FACTA (Fair and Accurate Credit Transactions Act), where merchants were found to have printed prohibited data—including credit card expiration date and the full card number—on customer receipts. In both the TJX and FACTA cases, even if lawyers believed they could prove blatant law violations (such as with FACTA) or negligent security protections (TJX), they would first have to establish actual damages.
Theres the rub. In the TJX case, no consumers were significantly hurt. At worst, they lost a few hours on hold or waiting on line, mostly because of the credit card companies zero-liability deals. Until consumers were actually financially hurt by specific identity theft or loss of money, few damages could be proven. The concept of seeking payment to compensate consumers for possible future financial injuries is not legally recognized.
Without damages, civil courts had little they could do to help. The premise of most civil court proceedings is to make victims "whole," meaning that they are returned to where they would have been had the bad act never happened. When being made truly whole is not possible, the courts are supposed to try and get as close as possible.
Criminal courts are established to punish people and companies that break the law or endanger citizens through reckless conduct, but thats not the purpose of most civil courts. That is true unless there are either federal laws or lots of relevant court decisions to the contrary.
TJXs settlement proposal happened just before major discovery had begun and that hints strongly at the only thing the consumers lawyers had in their favor: publicity and a public stoplight on security particulars.
Even civil defendants who have done nothing wrong often agree to settlements to avoid the spotlight of a trial and the potential embarrassment of the internal documents they would be forced to surrender to the opposing side. They know quite well that, despite the most precisely worded confidentiality agreements, turning over deep secrets to people who are suing you is quite dangerous, given the temptation for them to leak such details.
Despite a lot of rumors and bits and pieces of information, how properly TJX defended itself and its data will likely never be fully explored. That suits TJX just fine.
TJX officials have made vague comments that they are now activating security procedures that would be "appropriate to prevent future intrusions," which suggests that the prior program was not appropriate for such a goal. But the specifics that were to have come from a trial and full document discovery have been halted because of the settlement.
This suggests that TJX had something to hide. Legally? Nothing, really. Even if they exhibited the worst security in the world, plaintiffs couldnt get anything with no consumers having been seriously hurt. The only thing that TJX wanted to avoid was having to answer a lot of questions about security. Hence, a settlement that gives consumers some credit monitoring and $30 giftcards is better than nothing, and it sure beats a public hearing.
Even had attorneys succeeded in trying to make this trial about bad security procedures at TJX, they would have likely found themselves having to prove not that TJX was merely reckless, but that its procedures were materially more reckless than other similarly sized retailers.
Regrettably, that would have likely not helped the consumers lawyers.
Thats sad because of this reason: Many large retailers have not made security investments a priority. In other words, if every plumber in your region is consistently late for appointments, you cant use punctuality as a means of hiring a plumber, regardless of how important you believe punctuality is. If many major retailers treat security cavalierly, its hard to prove that any one of them is acting outside the norms of that industry.
Attorneys for some of the consumer groups had wanted TJX to make cash payments to consumers, but TJX had insisted on instead giving consumers $30 TJX vouchers, only redeemable at TJX and only good for one year.
Said one lawyer involved in the negotiations: "We hate coupon settlements." TJX compromised by allowing the coupons to be both transferable and stackable. Stackable means that many coupons can be used at once, as opposed to the typical retail requirement that "this coupon cannot be combined with any other coupon or offer."
Transferable means that consumers awarded the coupons can give them—or sell them—to anyone else. Why? One attorney for consumers in the case spoke of consumers whose data was taken in the TJX breach saying, "I never want to set foot in another TJX store."
Particular care in the settlement was given to consumers whose drivers license information was stolen, compensating some of them for time lost getting a new drivers license issued.
The problem with drivers licenses is that they typically contain very valuable identity theft information, such as a full name, a home address, a photo and a physical description (eye color, hair color, age, weight, height, etc.) and sometimes a Social Security number. Regrettably, unlike having a new credit card issued, theres little that can be done to safeguard that data once its been taken, other than changing your name, moving, adjusting your physical features and going through the very complicated process to get a new Social Security number (and changing it in all of the various places it now resides).
TJX may have inadvertently added to consumer frustrations by having suggested on their Web site that "customers whose drivers license number may have been compromised should consider contacting their local departments of motor vehicles (DMVs) to see whether the DMV has a process to place a fraud alert on their license number (which only some DMVs do) and, if so, whether the DMV recommends that they do so."
Beyond the reality that such a move is likely too late to do much good, it could also cause problems for the consumer. If they are ever pulled over for a broken taillight or driving without a seatbelt, such an alert would likely force law enforcement to treat the driver as a potential thief. Such law enforcement efforts often play a key role in consumers having really bad days.
("Dear IRS: I think someone may have stolen my SS number, so please give my tax returns extra special attention. Dont be stingy with those audits, ya hear?")
Although some states are toying with data security requirements—Minnesota is the only one to have actually done something about protecting consumer data at retail—federal legislation is the only effective way of dealing with retailers who have stores in many states.
Im hesitant to encourage more requirements to handcuff retailers, but the fear of what TJXs settlement may do to the security investment retailers will make next year is far more frightening.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan.Schuman@ziffdavisenterprise.com.
To read earlier retail technology opinion columns from Evan Schuman, please click here.