Retail giant TJX Companies and the Massachusetts Bankers Association announced on Tuesday that the company had settled lawsuits with every bank association and bank, save one, that had sued the company following the theft of credit- and debit-card data from its computer systems.
Under the terms of the agreement, TJX has denied all wrongdoing and will pay the banks a negotiated part of their expenses from the case, excluding attorneys' fees. In addition, three individual banks and the nearly 300 banks represented by the Connecticut Bankers Association, Maine Association of Community Banks, and Massachusetts Bankers Association will dismiss all of their claims against TJX. The associations will recommend that their members apply for part of the $41 million settlement offered by TJX to Visa issuers as part of a settlement with the credit-card company.
"Through that offer, TJX has agreed to fund up to $40.9 million in payments to Visa issuing banks which may have suffered damages as a result of the data breach," Daniel J. Forte, president of the Massachusetts Bankers Association said in a statement (PDF). "This alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms."
The settlement ties up a number of legal loose ends for TJX, following its announcement nearly a year ago that a security breach of its transaction processing network had resulted in data thieves stealing information on 45.6 million credit- and debit-card accounts. Banker's groups sued the company for their members' costs in replacing the cards, but the judge handed the banks a significant loss when he refused to allow them to pursue the case as a class. Evidence presented in the lawsuits in August raised the estimate of the number of cards affected by the breach to more than 100 million.
Litigation following breaches at TJX and other retailers has convinced many merchants to minimize the amount of data collected in a transaction. However, Visa, whose cards accounted for about two-thirds of those stolen, has estimated that 3 out of 10 retailers have yet to comply with the industry's standard for data protection.
In its statement on the settlement, TJX stressed that the payment industry must also shoulder responsibility for better security.
"The TJX experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, and we look forward to greater cooperation in order to better serve and protect customers," Carol Meyrowitz, CEO of the retailer, said in a statement.
A lawsuit brought by AmeriFirst Bank, of Union Springs, Alabama, remains unresolved as do state and federal investigations into the TJX breach.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos