Retail giant TJX Companies offered on Friday to pay up to $40.9 million to credit-card issuers that agree not to pursue litigation against the company for a massive data breach that allowed information on more than 100 million credit- and debit-card accounts to be stolen.
The settlement offer will pay banks and other issuers of Visa cards a portion of their costs, if they encountered fraud on their cards or had accounts flagged for fraud following the TJX breach. The settlement requires the participation of 80 percent of eligible Visa issuers to sign up before December 10 in order to become binding. In addition, Visa will waive certain fines levied against TJX following the breach, and the retailer will act as a representative of the Payment Card Industry's Data Security Standard, which it was in violation of at the time of the breach.
"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims, Ellen Richey, head of global risk management for Visa, said in a statement. This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders -- merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."
The settlement offer came a day after TJX chalked up a small legal success. On Thursday, a federal judge in Boston denied nearly 300 New England banks their request to pursue litigation against the firm as a class-action lawsuit. The ruling means that the banks will have to pursue individual cases against the retailers.
In January, TJX announced that a security breach of its transaction processing network had resulted in data thieves stealing information on 45.6 million credit- and debit-card accounts. Banker's groups in Massachusetts, Connecticut and Maine sued the company for their members' costs in replacing the cards. Evidence presented in the lawsuit in August raised the estimate of the number of cards affected by the breach to more than 100 million.
Litigation following breaches at TJX and other retailers has convinced many merchants to minimize the amount of data collected in a transaction. However, Visa, whose cards accounted for about two-thirds of those stolen, has estimated that 3 out of 10 retailers have yet to comply with the industry's standard for data protection.
TJX's previous estimate of the cost of the breach totaled $156 million through fiscal 2009, and includes the latest settlement and a settlement with consumers that is pending court approval.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos