• TJX Settles Data Theft Dispute for $9.75 Million
  • August 3, 2009
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • TJX Companies announced last month that it has reached a multistate settlement over a massive security breach that compromised at least 45.7 million credit and debit cards.

    The parent company of retailers T.J. Maxx and Marshalls will pay $9.75 million to settle an investigation by 41 state attorneys general into the data theft. Of the total amount, $2.5 million will be used to create a data security fund for states and $1.75 million will go to cover expenses incurred by the states in their investigations. TJX must also certify that its computer system satisfies a comprehensive set of data security requirements and must facilitate the development of new technologies to remedy faults in the U.S. payment card system. In its statement announcing the settlement, TJX reiterated that it "firmly believes" it did not violate any consumer protection or data security laws.

    The settlement monies will be drawn from a $39.5 million reserve created by the company to cover potential costs stemming from the breach, including litigation awards or settlements, investigations, and legal fees.

    The data breach reportedly began in July 2005 but was not detected until December 2006. The company disclosed it in January 2007. Last year 11 people were indicted on charges they hacked into the computer systems of TJX and other major retailers to steal the card numbers. To date, four have pleaded guilty to charges of hacking or related charges, according to TJX.

    Why it matters: The TJX incident is the largest security breach ever reported. With virtually all consumer credit and debit card data on one or several computerized databases, the threat of data breaches resulting in fraud is a real concern. Such incidents can cost companies, banks, and consumers millions of dollars. Unfortunately, battling hackers and other thieves is an ongoing battle, as they continue to develop new and sophisticated methods for stealing consumer data.