TJX Settles Another Data Breach Lawsuit And Puts Itself In Charge Of The Oversight
Written by Evan SchumanYou have to wonder who is left among the U.S. entities that have not sued—and then settled with—TJX for its infamous data breach of more than 100 million card numbers. The latest to come up to the till: The Louisiana Municipal Police Employees’ Retirement System. But the settlement here—for $595,000—is not the interesting bit. Part of the deal was a change in an IT boss. The settlement specified that IT security efforts need someone to oversee operations. What was agreed? That the job be given to TJX’s own audit committee. The TJX board’s audit committee shall, through Dec. 31, 2015, “oversee security of [TJX's] computer system with respect to customer data, including [PCI] compliance,” the settlement said.
If you ever needed any proof of the strength of TJX’s legal position in these cases, you need look no further. When seeking an independent overseer, the best the plaintiffs could come up with was a committee within TJX’s own board? Setting aside the lack of independent perspective, this approach isn’t even a concession, given that the TJX board oversees such matters anyway. Want to freak out TJX investors? Tell them to imagine what this breach’s after-effects would have been had the attackers hit mobile transactions tied to debit cards. Were it not for zero-liability credit card programs, this legal outcome would be stunningly different.
-Dan Stiel
July 15th, 2010 at 12:51 pm
This is really a “sleeves on the vest” settlement…much ado about nothing. Having served on audit committees of boards of directors, particularly in the post Sarbanes Oxley world, this oversight responsibility is already technically required, and often “outsourced” to audit or consulting firms…
July 15th, 2010 at 1:26 pm
Absolutely. That’s the point. This is an illustration of how strong a hand that TJX was dealt, that THIS was the best the plaintiffs could negotiate.