TJX, Visa in data breach settlement
The TJX Companies Inc. entered into a settlement agreement with Visa last week to make an alternative recovery program available to US Visa issuers that issued cards potentially affected by TJX's previously announced unauthorized data breach.
TJX has agreed to fund up to a maximum of $40.9 million in alternative recovery payments. The settlement is conditioned on acceptance of the alternative recovery offer by December 19 by issuers of at least 80% of the eligible Visa payment card accounts. The estimated costs of the settlement are already reflected in a charge related to the computer intrusion taken by TJX in its fiscal 2008 second quarter. Visa said it will recommend the offer.
“We believe this settlement agreement provides a fair resolution of these issues, and look forward to a high issuer acceptance of the proposal,” said Carol Meyrowitz, president and CEO of Framingham, MA-based TJX, in a statement.
Meyrowitz also commented on the issue of data security. “At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels” she stated. “We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal.”
Once the settlement is completed, accepting issuers will be paid by December 27. Each accepting issuer will waive certain rights to any other recovery through litigation or otherwise and provide certain releases of TJX and its US acquiring banks.
The agreement contains a number of other provisions, including Visa's suspension and rescission of specified fines, TJX's agreement to serve as a spokesperson in support of the goals of the Payment Card Industry Data Security Standards and the security of payment card information, as well as Visa's agreement to provide TJX the opportunity to pilot any new payment card security technology.