Information Security News: TJX, banks reach settlement in data breach

[InfoSec News <alerts () infosecnews org>]

http://www.boston.com/business/articles/2007/12/18/tjx_banks_reach_settlement_in_data_breach/

By Ross Kerber
Globe Staff
December 18, 2007

TJX Cos. and New England banks said today they have agreed to settle a 
high-profile lawsuit over payment card security practices in the wake of 
the record-setting data breach at the Framingham retailer that 
compromised as many as 100 million accounts.

TJX, the parent of discount retail chains including T.J. Maxx and 
Marshalls, will pay community banks and trade groups in Massachusetts, 
Connecticut, and Maine a portion of their legal expenses.

More specifics weren't disclosed, but the deal won't add to the $256 
million in total spending TJX previously had budgeted to deal with the 
breach, a spokeswoman said today. In addition to settling with the 
banks, the figure is meant to cover previous settlements with payment 
card company Visa International Inc. for up to $40.9 million in costs, 
and with a class of consumers.

TJX still faces claims from an Alabama bank and investigations by 
federal and state officials over the breach. But Mary Monahan, partner 
of Javelin Strategy & Research in California, said the deal amounts to a 
relative win for TJX and one that was no surprise after a decision by a 
federal district court judge made it harder for the banks to join 
together to sue TJX as a class.

"Once that happened, it became too expensive for the banks to continue 
on this route," she said.

Both sides said they were pleased with the outcome. Banks led by the 
Massachusetts Bankers Association had filed their suit in the spring as 
the extent of the data breach became clear, seeking to cover costs such 
as reissuing compromised cards.

TJX found illicit software on its systems at the end of last year, and 
Canadian privacy officials later tied the intrusion to a weakness in the 
company's wireless security systems dating back as far as 2005.

Although officials have won convictions against individuals in Florida 
and elsewhere for misusing the stolen card numbers to buy goods, to date 
no individual has been charged with the intrusion itself.

The bankers alleged that TJX was negligent in not maintaining stricter 
data security, and unearthed various documents that showed the company 
wasn't meeting industry security standards and had caused Visa to issue 
fines.

TJX had fought back, however, arguing its security was similar to other 
retailers and noting that only recently have a majority of large 
merchants met payment card security rules.

As part of today's deal, the bankers are recommending their members 
accept the repayments Visa is offering under the terms of its deal with 
TJX.

In statements today both sides said they hope the deal with improve 
overall security. "The TJX experience underscores broader challenges 
facing the US payment card system that require urgent action," said 
Carol Meyrowitz, TJX chief executive, in a statement. Daniel Forte, 
president of the Massachusetts Bankers Association, said the case was 
worth pursuing to show weaknesses in the payment system.

"This data breach and the ensuing litigation have clearly initiated an 
important nationwide dialogue on the importance of improving the 
security of the US payment card system," he said.

Copyright 2007 Globe Newspaper Company.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/