IMGCAP(1)]
TJX Cos. Inc. has agreed to pay 41 states a combined $9.75 million to resolve complaints by their attorneys general over the massive data breach the company announced more than two years ago (CardLine, 1/18/07). TJX is the parent of some 2,600 TJ Maxx, Home Goods, Marshalls and A.J. Wright stores operating in the United States, Puerto Rico, Canada and the United Kingdom. The agreement TJX announced yesterday includes a $5.5 million settlement, $1.75 million to cover expenses from state investigations of the data compromise, and $2.5 million for a fund the states will use to promote effective data security and technology. TJX also agreed to certify that its computer systems meet state data-security requirements and to encourage the development of technologies that address payment card-system vulnerabilities in the United States. A reserve fund TJX set aside in 2007 for breach-related expenses will cover the cost of the settlement, according to TJX. The cooperative investigation and settlement with TJX was a smart move by the state attorneys general, according to Javelin Strategy & Research Inc. managing partner Mary Monahan. "When something this massive happens, [attorneys general] are supposed to protect the public," she tells CardLine, adding that state officials and lawmakers are not well-positioned to legislate the finer points of payment-data security. "They can't keep up with the criminals," Monahan says. "There's no way." Avivah Litan, vice president and research director at Gartner Inc., a market-research firm in Stamford, Conn., agrees. "The [attorneys general] are better off focusing on disclosure rules and consumer protection than on security technology, an area where they are out of their league and where they won't possibly be able to keep up," Litan tells CardLine. As for this particular settlement, Litan questions its usefulness. "Consumers really didn't suffer much harm or financial loss, as they are already protected by the rules of the credit card associations," she says. "So I'm not sure why all this effort was expended on prosecuting TJX instead of focusing on preventing future breaches through enhanced breach-disclosure laws and more effective consumer-protection laws" such as in the case of fraudsters taking over demand deposit accounts, Litan says.
