TJX Companies, Inc. has agreed to settle numerous customer class actions launched following the security breach of TJX’s computer systems. The breach affected millions of credit and debit card holders. The terms of this settlement are interesting in that they require TJX to provide vouchers, cash benefits (cheques), credit monitoring services, identity theft insurance, reimbursements and sales events to eligible claimants.

On January 17, 2007, TJX Companies, Inc. announced that it had suffered intrusions into its computer system responsible for processing and storing information related to consumer transactions, and specifically to credit card, debit card, cheque and merchandise return transactions. TJX is the parent company of Winners and HomeSense in Canada. The breaches occurred between July 2005 and January 2007, affecting approximately 45.6 million credit and debit card holders.

Predictably, the TJX security breach led to a number of class actions against TJX, including six class actions seeking compensation on behalf of all Canadians who may have been affected by the breach. The class action plaintiffs allege that TJX failed to maintain adequate security for consumer information, and that, as a result, unauthorized individuals were able to gain access to this information. The plaintiffs claim that TJX’s inadequate security allowed unauthorized individuals to steal consumer information and to commit fraud and identity theft.

On November 14, 2007, TJX entered into a proposed settlement agreement with the representative plaintiffs. The settlement class for the purposes of the proposed settlement agreement includes anyone in the US, Puerto Rico or Canada who made a purchase or return at certain TJX stores during specific time periods, who had or allege having personal or financial data stolen or placed at risk of being stolen, and who were or may be damaged or who allege they were damaged by the intrusion.

The terms of the settlement agreement require TJX to compensate the settlement class by way of vouchers, cash benefits (cheques), credit monitoring, identity theft insurance and reimbursements. As well, under the terms of the proposed settlement agreement, TJX will host a one-time three-day sale event at TJX stores for the plaintiff class where all merchandise will be reduced by an additional 15 per cent. The settlement agreement does not include an admission of guilt or wrongdoing on the part of TJX.

Compensation will be in the form of either $30 vouchers for use at TJX stores or $15 cheques. Customers can claim up to two vouchers, with the number of vouchers based on whether the class member has proof that he or she shopped at a TJX store and proof of out-of-pocket expenses. If the total value of claims for customers with such proof exceeds $7,000,000, the amount per voucher will be reduced proportionately. Similarly, the amount per voucher for those customers without proof will be reduced proportionately where the total value of claims exceeds $10,000,000.

Those customers who have been notified that their driver’s licence or other identification information was compromised and where it is the same as their social security number, and who lost more than $60 from identity theft (excluding credit and debit card charges) may be eligible for additional reimbursement.

However, again, if the amount needed to pay these claims exceeds $1,000,000, each payment will be reduced in proportion to all settlement class members’ claims.

The proposed settlement agreement also provides three years of credit monitoring and $20,000 worth of identity theft insurance for consumers who returned merchandise to TJX stores without receipts and who received letters from TJX stating that their names or identification numbers were believed to have been compromised. These customers will also be reimbursed for the cost of drivers’ licences replaced between January 17, 2007 and June 30, 2007.

Under the proposed settlement agreement, TJX will also pay the plaintiffs’ legal fees, up to $6,500,000.

In addition, the settlement agreement gives the plaintiffs one month to have its independent security experts determine whether recent improvements to TJX’s computer system constitute a prudent and good faith attempt to minimize the likelihood of intrusions in the future. The settlement is contingent upon plaintiffs’ counsel’s acceptance of these enhancement actions as prudent and in good faith.

While the US District Court for the District of Massachusetts has preliminarily approved the settlement, the agreement must first be approved at a fairness hearing. Claims will be paid after all appeals from the fairness hearing have been heard and the court grants final approval of the settlement agreement.

If approved at the fairness hearing, the settlement agreement will settle the class action proceedings in Canada. The Canadian plaintiffs agreed to a stay of the Canadian actions pending implementation of the settlement. As outlined in the settlement agreement, all settlement class members — including those in Canada — will be permanently barred and enjoined from commencing, prosecuting or participating in any action asserting any of the claims released by the agreement.

Note that this proposed settlement agreement, if approved, will only settle the class action lawsuit involving customers of TJX stores: lawsuits against TJX from banks and other financial institutions are not settled under the settlement agreement. Individual class members were also able to opt out of the proposed settlement by providing notice by June 24, 2008.

On the credit card side, TJX entered into a $40.9-million pact with Visa in November 2007, and a $24-million pact with MasterCard in April 2008, in each case to cover breach-related expenses incurred by the issuing banks, such as replacement of credit cards. These settlements would be paid in exchange for the issuing banks’ agreeing to waive their rights to sue TJX for breach-related costs.

And in March 2008, TJX agreed to a settlement with the Federal Trade Commission, under which TJX agreed to submit to an independent security audit every other year for 20 years.

McCarthy Tétrault Notes:

The response to the terms of the class action settlement agreement has generally been critical. The prevailing view is that TJX is escaping too easily (e.g., providing marketing gimmicks of relatively small vouchers for use in stores and a sale event) and that it will not suffer any significant financial repercussions as a result of the breach. Concern has also been raised over the fact that such an early settlement will leave important issues regarding responsibility and liability for such security breaches unresolved.