Late last Friday, TJX Companies, the parent of Marshall’s and TJ Maxx, announced it had reached a tentative settlement of a class action suit arising out of a massive data security breach at the company. About 45 million credit and debit cards were said to have been compromised.
To hear the story of the settlement told on TV or radio, you might have believed if you had shopped there over the past few years, you would be entitled to three years of credit monitoring service and id theft insurance free:
Associated Press – September 21, 2007 7:04 PM ET
FRAMINGHAM, Mass. (AP) – The TJX Companies has agreed to a settlement of class action lawsuits filed after a massive security breach involving customer data.
A statement on the company Web site says the proposed settlement includes three years of credit monitoring along with identity theft insurance for those affected by the breach.
It still requires court approval.
In January, Framingham-based TJX disclosed that computer hackers broke into its systems.
At least 45 million TJX cards were hacked.
That is not the case. A closer reading of the fine print of the proposed agreement severely limits which shoppers will get three years of free services.
*MOUSE PRINT:
 2.1 (a) TJX shall make available free of charge (i) to Unreceipted Return Customer Claimants (other than those set forth in subparagraph 2.1(a)(ii)), three years of Credit Monitoring and Identity Theft Insurance from the date of subscription,
So, it is primarily shoppers who returned goods without a receipt during the relevant period who qualify for that part of the settlement. That amounts to some 455,000 people, a mere 1% of the total number possibly affected. These people have already received a direct notification of the breach from TJX, and will also be entitled to other compensation if they experienced actual losses.
For everybody else who made a purchase at a TJX store by check, credit or debit card between certain dates, and who suffered more than a $5 loss as a result of the breach, you will be entitled to $30 to $60 in merchandise credit depending on the level of proof you have. Despite the large number of card numbers stolen, it appears that very few people actually became victims of id theft. That may best explain why most of the 45 million cardholders will not be entitled to compensation.
Lastly, TJX stores will have a 15% off everything sale sometime in 2008 for three days, available to everyone.
“Despite the large number of card numbers stolen, it appears that very few people actually became victims of id theft.”
YET.
While I’m not an advocate of “tort reform” — I think it’s important to have legal recourse against companies that are careless or abusive — I would be an advocate of legislation stating that compensation in tort cases must be of the same kind for lawyers and for plaintiffs, unless the plaintiffs specifically request a different remedy. I find that in many of these cases, the lawyers care about winning the case (and thus getting paid) but don’t seem to care much what remedy the defendant is required to make. In most such cases it seems the defendant is forced to pay a boatload of money to the lawyers, but to the actual plaintiffs, the defendant supplies something that costs it very little: vouchers to buy products or some such.
I have yet to see anyone receive a return of any consequence in a large class action suit. Usually the cost of repsonding to the suit, even if it is not much more than postage, is in excess of the payout from the suit. Only the attorneys win in a class action suit.
I always wonder about the term “compromised”. Without knowing the extent of the compromise, it’s hard to come up with a remedy that helps. But the least would be that any adverse credit impact should be covered by the company unless it can prove that your account was not affected.
As for class action suits, these have simply gotten out of control, and we need some reform that prevents lawyers/law firms from getting more than 10x what the members of the suit get. As indicated, they typically get millions while the members gets cents if they’re lucky, or the ability to get something like 10% off your next product purchase (which is less than you can get in many other deals.) It also forces the affected companies to raise prices so future consumers lose.
we haven’t had identity theft (yet) but our credit card company shut down our account when they learned of the breach-thank goodness (without notification other than on the web site which they apologized for profusely because they apparently had to shut down thousands of accounts quickly) and then they sent us new cards…to the wrong address, since we just moved our update occured after the breach. ah yes, then the new cards came with an annual fee and a rate adjusted for a problem on the account (not caused by me) but of course the credit card co. was in a hurry to send out new cards. then it arrived but was the wrong type of card. for three weeks I used another card but do they owe me for the inconvenience and hassle of having to renegotiate my card-yes I think they do.
Perhaps a week to a month or more boycott of the stores would get some better results than a class action lawsuit.
Of course just delaying a purchase wouldn’t help. Shop elsewhere during the boycott time. If fact, you may like the other merchandiser better. And let them know why you switched there. Hopefully, it will keep the fair and straight. (cross you fingers, it’s called unfettered capitalism)
I work for a fraud dept. at a bank and it makes no sense for them to offer credit monitoring for the rest of the customers because the information that was captured wasn’t enough to steal an identity. If the track data on a card was stolen then a counterfeit card could be created, but once the card number is closed by the bank then nothing more could happen. Name, address, date of birth, etc. are not stored on the card.
Just FYI, I was hit, over the last week, by 10 fraudulent charges totaling roughly $1,000, all from gas stations in California (I haven’t been to California in 20 years – I live in Texas). The only place my card could have been compromised? I used it at TJ Maxx during the period in question.
Just to make the point that there continue to be new cases of fraud from this data breach, and probably will continue to be for quite some time, given that the number of affected cards is now estimated at over 90 million(!)…
Mark, although it’s possible that the problem is TJMaxx, more likely it was from one of many databases where you used the card over the years and that DB was compromised (either from within or outside the company.)
Either way, not a pleasant thought.