As I read though the “Assurance” (of Compliance) that TJX signed with the attorneys general of 41 states, I found myself humming the song, “Is That All There Is?”
When all is said and done, TJX seems to gotten off with a slap on the wrist, at worst. In December 2007, they settled claims brought by three banks and three state bankers associations after some claims were dismissed by the court, but the terms were never made public. In August 2008, they settled with the FTC where the terms involved no financial penalties but an assurance of the kinds of security provisions and monitoring specified in the more recent Assurance. In September 2008, they settled a case brought by consumers by agreeing to give consumers either $30 in cash or a $60 voucher for three years of credit monitoring plus the cost of replacing a driver’s license. We don’t know how many people actually either took the cash or took a voucher that they never used. And in January 2009, TJX announced a one-day 15%-off sale to show their customers their appreciation. That sale was voluntary on their part. I grant you that they may have paid a lot in attorneys’ fees and that we do not know the terms of the settlement with the banks or the cost of the consumer settlement, but based on what we do know, there doesn’t appear to have been much in the way of consequences.
So now they will pay $9.75 million? That’s small potatoes to a firm with its revenues and probably much less than they feared when they set aside a $216 million reserve to deal with the breach. And the rest of the Assurance pretty much boils down to getting TJX to agree that it will do what it should be doing anyway. Yes, there are a few security-related provisions that go “above and beyond” the current industry standards, but for the most part, the Assurance simply spells out what was immediately obvious to everyone — that TJX had sloppy security and they needed to address that.
But what really got me irked was that I got all of the way through the document and realized that there was no admission of any wrong-doing and no section of “findings.” Nowhere did we finally learn how many people or card numbers were affected by the breach. So some media sources continue to refer to the breach as affecting possibly more than 94 million while other sources report 47.5 million. And now, because of clauses in the “Assurance” about confidentiality and protection from disclosure under public records laws, we may never find out what the numbers really were.
I’m tempted to call up my Attorney General and ask him why the public can’t find out how bad the breach really was.
In any event, other than the ongoing monitoring for compliance, TJX seems to be basically a closed matter as far as the states and the FTC go. And since the threat of class action lawsuits is also gone, TJX pretty much “got away with it.” The states attorney general can issue all of the press releases they want on this one trying to spin this as punishment or a cautionary tale for businesses, but when the public stops spinning and takes a hard look at the Assurance, the real message will be that there are no really dreadful financial or legal consequences for sloppy security that states will impose.
If any state attorney general would care to explain to me how this Assurance is a good outcome for those who were affected by the breach and why the states didn’t impose a greater financial penalty that might serve as a deterrent, I’d be happy to listen. Or is this just more of the “let’s look forward and not back” approach that has become far too rampant?