REVISED DAMAGES IN TJX DATA BREACH EXCEED A QUARTER OF A
Merchants must take action now to reduce credit card security risks
The massive customer credit card data breach at TJX Companies Inc. took a dramatic turn this week, as the company
announced costs related to the breach have reached $256 million—more than 10 times earlier estimates.
TJX, the parent company of clothing retailers T.J. Maxx and Marshalls, announced the costs August 14th in its second-
quarter earnings report. The costs lowered TJX’s profits by $118 million in the first quarter alone.
The damages far exceeded even the worst-case scenarios envisioned by most experts. In the first quarter, TJX announced
it had spent $17 million in the previous six months, following the highly publicized loss of 45.6 million customer credit
and debit card numbers over a two-year period. At the time, the company warned that it expected additional damages in
the second quarter, but indications at the time were that those costs would be in the $8-12 million range, a fraction of the
$256 million announced this week. Company officials also said this week that they may have to take a $35 million pretax
charge in the 2008-09 fiscal year to cover additional damages.
While the news was bad for TJX, it may get even worse. The company still faces several lawsuits in relation to the case,
including a suit from the Massachusetts Bankers Association seeking tens of millions of dollars in restitution, stemming
from the customer data loss. The Federal Trade Commission also has announced it is investigating TJX.
Financial analyst Khalid Kark told the Boston Globe that he believes that by the time all the cases are litigated and the
damages paid, the final bill will exceed $500 million and may approach $1 billion.
TJX’s bank has been named as a defendant in some of the cases arising out of the data theft, on a theory that the bank was
responsible for ensuring its merchant customers met their data security obligations.
In January, TJX admitted that hackers had broken into the company’s payment systems and stolen 45.6 million credit and
debit card numbers over a nearly two year period. In terms of sheer numbers of records, it is the largest data security
compromise in U.S. history.
In addition to legal compliance liability, companies now face stricter regulation from the credit and debit card companies.
The new Payment Card Industry Data Security Standard Version 1.1 took effect on January 1. With the enactment of that
standard, merchants who accept payment cards (both credit and debit) must now establish a number of security procedures
• Maintaining a secure computer network, which includes installing firewall configurations;
• Protecting stored customer data;
• Encrypting customer data when it is transmitted;
• Restricting access to customer data on a need-to-know basis;
• Regularly testing security procedures; and
• Having a policy to address customer data security.
Nearly any business that handles confidential customer information is at risk of a data breach or theft. However,
companies can learn from the TJX situation and take steps to help protect their business from similar catastrophes.
The first step is a comprehensive internal audit, which should answer questions such as, “How is classified information
stored?” and “Who has access to this information?” Such an audit can provide a layer of “good faith” protection even in
the event of a data breach.
A company should have its security policies and procedures checked by an outside expert to establish that the company is
taking reasonable precautions to secure customer data.
Womble Carlyle has assembled a Privacy and Data Protection Team with deep experience in aiding companies with
enhancing data security. The firm has developed a Ten-Point Merchant's Payment Card Security Plan to help you protect
your business from payment card fraud and damaging law suits. We will work with your risk managers and information
systems team to provide a cost-effective solution customized to your business. We will help you navigate the complex and
ever-changing legal and regulatory landscape to avoid unpleasant surprises.
If you would like to discuss these matters at greater length, please contact:
Ted Claypoole - (704) 331-4910
Alicia Gilleskie - (919) 755-2138
Mike Hubbard - (919) 755-8126
IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the IRS, we inform you that any
U.S. tax advice contained in this communication (or in any attachment) is not intended or written to be used, and cannot
be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or
recommending to another party any transaction or matter addressed in this communication (or in any attachment).