After private credit card data from some 46 million consumers fell into the hands of cyber-thieves in the largest retail data breach ever, TJX has settled all of the consumer lawsuits resulting from the breach by paying $6.5 million in attorney fees and offering consumers some programs aimed at compensating those directly impacted.
The details from the full text of the Sept. 21, 44-page TJX settlement filing show the $17 billion retailers attempts to address consumer injuries. But given the huge scale of this breach, the compensation to any one consumer is likely to be minimal.
TJX has agreed to compensate consumers for any time they lost “as a result of the intrusion,” but those calculations will assume a rate of $10 per hour.
The compensation also seems to be limited to $60 and will be in the form of $30 vouchers for making purchases at TJX only. Further, if a lot of consumers agree and “the total of such claims exceeds $7 million, the dollar amount of each voucher will be proportionately reduced.”
Customers will get one $30 voucher. If they can prove costs exceeding $60, they will get two $30 vouchers.
TJX has said that cyber-thieves accessed TJXs systems in July 2005, but that it didnt learn of the multiple incidents until Dec. 18, 2006. It announced the breach one month later, on Jan. 17.
TJX officials have yet to say how they believe the breach began, although sources involved in the probe have spoken of two possible beginnings: that intruders intercepted wireless communications and used them to access the corporate TJX LAN and that the cyber-thieves might have broken into some job-application kiosks and used that as entry into the network.
No one has been charged with breaking into the network, and law enforcement officials have not identified any prime suspect. However, several people have been arrested on charges of trying to sell the information taken from TJX.
TJX is also offering a plan for consumers who “returned merchandise to a TJX store without receipts and who were sent letters from TJX stating that TJX had specifically identified that their names, addresses and drivers license or military, state or tax identification numbers were believed to have been stolen in the intrusion.” For those consumers—and TJX estimated that there are about 455,000 of them—TJX will pay for three years of credit monitoring (the settlement specifies the Equifax Credit Watch Gold with 3-in-1 Credit Monitoring product) and $20,000 worth of identity theft insurance.
TJX is also pledging to give those “Unreceipted Return Customers” the documented actual replacement cost of drivers licenses replaced between Jan. 17 and June 30.
To read more about TJXs $168 million security breach, click here.
In addition, there is the possibility of additional compensation for those customers who lost more than $60 from identity theft, but it excludes credit- and debit-card charges. The company also said that if the total of those “exceeds $1 million, such claims will be prorated.”
In an interesting twist, TJX promised to hold a three-day sales event where all merchandise “will be reduced by 15 percent for three consecutive days in January, February or July, which will be in addition to all other discounts (other than employee discounts),” and it “is not expected to be held until 2008 at the earliest.”
“TJX represents that it has not had any storewide sale event in the TJX Stores systemwide in the past, to the best of senior managements recollection, and that this sale event is the direct result of this settlement,” said the settlement, included in a Form 8-K filing.
The settlement also gives both sides less than a month to get their own independent security experts to determine whether recent TJX security improvements are “a prudent and good faith attempt by TJX to minimize the likelihood of intrusions in the future.” TJXs expert must submit a report to the plaintiffs expert by Oct. 17. But neither that expert nor the attorneys involved are allowed to discuss publicly how well—or poorly—protected they see consumer credit information being at TJX. All parties “shall be subject to such confidentiality restrictions as TJX may reasonably require to protect the security of its computer system.”
The proposed settlement still has to be approved by the courts, and those security experts must agree. How long will this likely take? A TJX statement said it could take many months.
“As is typical for class actions, the procedures required to obtain approval of the settlement will take some time,” the TJX statement said. “While we cannot predict how long these procedures will take, we do not think it is likely the settlement would become final prior to spring 2008.”
A series of lawsuits against TJX from banks and other financial institutions are still active and not covered by this agreement.
Retail Center Editor Evan Schuman can be reached at [email protected].
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.