TJX Offers Settlement in Wake of Massive Data Breach

The TJX Companies Inc. is offering three years of credit-monitoring services along with identity theft insurance coverage to all consumers whose driver’s license or other personal data may have been compromised by the massive data breach disclosed earlier this year by the retail company.

Consumers who had to replace their driver’s licenses because of the compromise will also be reimbursed for the actual replacement costs under a proposed consumer class-action settlement announced by the company on Friday.

In addition, individuals whose driver’s license or other ID numbers were the same as their Social Security numbers will be reimbursed for "certain losses from identity theft," the company said. Customers who had to change bank and credit card information because of the breach will receive vouchers redeemable in TJX stores in the U.S, Canada and Puerto Rico. As part of its settlement action, sometime next year TJX will hold a one-time, three-day customer appreciation event at which it will offer a 15 percent discount on all goods.

The settlement is not yet final and is subject to court approval. It is also contingent on an independent evaluation of the information security enhancements implemented by the company in the wake of the breach. TJX did not say how much the proposed settlement would cost. But it noted that the estimated costs were part of its previously announced fiscal 2008 second-quarter charge of US$118 million and fiscal 2009 noncash costs of $21 million.

The proposed settlement, which covers all class actions in the U.S., Canada and Puerto Rico, "addresses the different ways customers have told us they have been impacted by the intrusion(s)," TJX CEO Carol Meyrowitz said in a statement. "Importantly, we truly appreciate our customers’ continued patronage. TJX has been working diligently to reach a settlement that offers a good resolution for our customers."

The company’s statement is available as an "important customer alert" on the main TJX Web page.

TJX is the owner of a number of retail brands, including T.J. Maxx, Marshalls and Bob’s Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland. Later, it revealed that the number of cards compromised in the break-in was 45 million, making it the biggest compromise of personal data ever reported.

The proposed settlement is likely to satisfy consumers, who for the most part appear to have been less concerned about the breach than the media has been, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass.

"I think [TJX has] gotten off cheaply" so far, Kark said, noting that neither the company’s stock price nor its sales have been affected by the breach. "My overall sense is that people aren’t really [as] concerned with these breaches as the media is. It seems like the reaction of the public is, ’It’s not such a big deal.’ So people may be OK with this settlement."

Kark had earlier this year estimated that costs to TJX from the breach over the next few years could amount to $1 billion. However, so far TJX’s own disclosures have pegged breach-related costs at a much lower $150 million.

By Jaikumar Vijayan, Computerworld (US online)

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)