TJX Cos. Inc. has agreed to pay Visa issuing banks up to $40.9 million to settle a dispute over one of the most serious credit card data security breaches ever.
The retailer disclosed the settlement, brokered by Visa Inc. on behalf of the issuing banks, in a filing Friday with the Securities and Exchange Commission.
TJX, and its acquirer Fifth Third Bancorp of Cincinnati, were both named as defendants in a lawsuit related to the breach.
Under the agreement, Visa would suspend any fines it had imposed on Fifth Third for failure to ensure that TJX was adequately protecting card data.
TJX, of Framingham, Mass., disclosed in January that its systems had been compromised. It initially estimated that 45.6 million accounts were are risk, and in court filings in October it raised that figure substantially, to about 65 million Visa accounts and 29 million MasterCard Inc. accounts. The issuers sued TJX seeking compensation for expenses such as issuing new cards.
Issuers with at least 80% of the affected Visa accounts must approve the deal by Dec. 19, and the San Francisco card association recommended Friday that they do so.
Ellen Richey, Visa's head of global risk management, said in a press release that banks would "benefit greatly" from accepting the settlement because it provides them an "immediate recovery on their data breach claims." Visa executives were not available for interviews, because Visa is in a quiet period ahead of its initial public offering.
A Fifth Third spokeswoman wrote in an e-mail that the settlement "provides for a fair recovery for eligible U.S. Visa issuers."
The settlement was announced a day after a judge in the U.S. District Court for the District of Massachusetts rejected a request to grant class-action status for the suit.
Avivah Litan, a vice president and research director at Gartner Inc., said the settlement brokered by Visa is a good one for the banks because they are "likely to incur more expenses in legal costs" if they continue with lawsuits. She said banks stand to recover all they spent and some more.
She said in an interview on Friday that banks had already been reimbursed for direct fraud costs and the settlement would likely pay for the customer services and reopening of accounts.
In a note issued in August, Ms. Litan estimated that banks have incurred $23.5 million to reissue accounts. Hackers stole data on about 2.4% of TJX's customers, and just under half of those whose data was stolen believe their credit or debit accounts have been misused, she wrote.
By mid-August, she said, TJX had spent $125 million on security upgrades. It took a $118 million after-tax charge in the second quarter to cover breach-related costs.
"TJX figures the faster they put this behind them, the more money they can keep," Ms. Litan said.
TJX did not return calls Friday. Carol Meyrowitz, its president and chief executive, said in a press release that "we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels."
Ms. Litan said TJX has tightened its security but has to do more.
MasterCard is not party to the settlement, and would not comment.
