In a move that could save it tens of millions of dollars in lawsuit damages, TJX Companies Inc. today announced that it will pay up to $40.9 million to Visa card issuers who may have been affected by a massive data breach disclosed by the retailer in January.
Under an agreement reached with Visa U.S.A. Inc., TJX said it will compensate banks that issued Visa payment cards potentially affected by the computer breach if they, in turn, agree not to sue the retailer over the breach.
Affected banks have until Dec 19 to accept the offer. Those that do so will be compensated by month's end, the company said in a statement today.
The proposed settlement comes even as the U.S. District Court in Boston this week overturned an effort by a group of bankers associations to gain class-action certification for their efforts against TJX.
Carol Meyrowitz, president and CEO of TJX, said the proposed settlement provides a "fair resolution" to banks that were affected by the breach and she expressed her hope that it would be broadly accepted. Meyrowitz added that the costs of the proposed deal with card issuers is already reflected in a charge TJX took in its fiscal 2008 second quarter.
In Visa's own statement, Ellen Richey, head of global risk management, said that those who accept the deal would "benefit greatly" because it offers immediate recovery of their data breach claims.
"This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data," she said in the statement.
As part of today's agreement, Visa will also suspend and rescind a portion of the data breach fines that it has levied on Fifth Third Bank, which authorized TJX to accept payment card transactions in the U.S. Under contractual terms, it is the acquiring banks that get directly fined by Visa for breaches such as those that occurred at TJX. Those fines are then typically passed on to the breached entity.
Visa and TJX agreed to rescinded fines because it would increase the amount of money available for the proposed settlement, Visa said. It added that only U.S.-based Visa card issuers are covered by the proposed settlement.
If the settlement is accepted by a majority of the affected banks, it could save TJX millions in damages and legal fees that the company would have ended up shelling out for lawsuits stemming from the breach.
The Boston court's decision to deny class-action status for the lawsuits brought against TJX by various banks and bankers associations also looks to be a big break for the retailer. The court's decision means that banks looking to sue TJX now must do so individually -- a potentially far more expensive and difficult task than if they were members of a class action.
A statement released by the Massachusetts Bankers Association (MBA) today called the court's decision "only one step in a long, complicated case."
"We are looking forward to the next hearing date on Dec. 11 when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX."
The MBA, which represents 205 banks in the state, is a co-plaintiff in an ongoing lawsuit against TJX filed in April. Others participating in the suit are the Connecticut Bankers Association and the Maine Association of Community Banks, as well as several individual banks. All of these entities were hoping to get the courts to certify them as members of a class.
The TJX breach is the worst ever involving the loss of cardholder data. The company, which owns brands such as T.J. Maxx, Marshalls and Bob's Stores, has admitted that about 45 million cards were compromised in a computer intrusion that remained undetected for more than 18 months. But court documents filed in connection with lawsuits against TJX claim that the retailer lost over 94 million cards, the vast majority of which were Visa payment cards.