TJX Cos. Inc.'s agreement in September to settle several consumer class-action lawsuits filed in the United States, Canada and Puerto Rico came less than a week before a Canadian government privacy commission described how TJX allowed some 45 million credit and debit card accounts to be compromised.
On Sept. 21, Framingham, Mass.-based TJX announced it had agreed to settle the consumer class-action cases consolidated in the U.S. District Court in Boston.
The agreement is subject to court approval and to an evaluation of security enhancements at TJX's stores to be conducted by an independent security expert hired by the plaintiffs, TJX said in a statement.
TJX did not disclose in its statement specifically how much the settlement will cost but said it includes charges to its 2008 and 2009 fiscal years that total $139 million. Transactions dating back to 2003 reportedly were compromised in the breach of some of TJX's 2,300 stores in the U.S., Puerto Rico and Canada.
Under the tentative agreement, amended in October, TJX will give affected customers the choice of receiving $15 checks or $30 store vouchers.
TJX included the offers after U.S. District Judge William Young agreed with consumer advocates that consumers should have the choice of legal tender or store vouchers.
TJX also will cover costs of credit-report monitoring and identity-theft insurance for some customers and will reimburse customers for the cost to replace driver's licenses and other identification compromised by the breach.
Young had not made a final decision at Cards&Payments press time on whether to accept the amended offer but said he was inclined to do so.
"This settlement agreement addresses the different ways customers have told us they have been impacted by the intrusion(s)," Carol Meyrowitz, TJX president and CEO, said in the statement. "We believe that the terms of this settlement are beneficial to our customers."
Meanwhile, Canadian government privacy commissioners released their own report that detailed how inadequate safeguards at TJX stores led to the breach.
Jennifer Stoddart, Canada's privacy commissioner, concluded in the 20-page report that hackers accessed TJX's data through poorly protected wireless networks at two TJX-owned stores in Miami, Fla. The intruders also used deletion technology that so far has made it impossible to identify which content was affected, the report says.
TJX did not properly manage intrusion risk, failed to act quickly in converting a weak encryption standard to a stronger one, did not monitor computer systems adequately and did not adhere to the Payment Card Industry Data Security Standard, says Wayne Wood, spokesperson for the Office of the Information and Privacy Commissioner of Alberta.
And TJX should not have collected driver's license and other identification numbers for returns without receipts, according to investigators.
Wood says the company cooperated with Canadian investigators.
(c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In