TJX’s Settlement: Marketing Chutzpa At Its Best
Written by Evan SchumanOnly TJX could take a lawsuit settlement from the worst retail data breach ever and try and turn it into an upsell situation.
TJX’s multi-part settlement of all of the consumer lawsuits against it for its massive data breach is a fascinating denouement to the TJX saga. What makes this latest twist so delicious is that TJX has played this debacle the way a retailer should, assuming the retailer is Niccolo Machiavelli.
When admitting to a massive databreach impacting some 46 million of your customers and when also conceding by implication that much of it was your fault given inadequate security measures, most companies would be chagrined, embarrassed and perhaps even a little bit ashamed.
How many would have the pureness of purpose to try and turn it into an upsell situation? When agreeing to pay cash?albeit tiny amounts?to your wronged customers, what would be a better example of Machiavellian marketing than to offer consumers the money only for in-store credit and of such an amount ($30) that many will likely spend more than the coupon?
Or as a way to make amends to the identity-less, offering to throw them a three-day party, which is open to everyone. And to then offer everyone attending a 15 percent off sale.
Let’s me see if I understand this correctly. Due to apparently recklessly weak security procedures, consumers that you invited into your stores had their credit card information and identities taken, all because they chose to buy your merchandise. How to make amends? Invite them back to bring their new credit card and buy more stuff, with a 15 percent discount. Isn’t that like Jeffrey Dahmer going to one of his victims that got away and offering him 25 percent off of another meal with him?
Maybe they can launch a major series of radio spots for this event? “Come to the We Ripped You Off And Got Away With It Special Celebration, with 25 percent off all jeans and 30 percent off if you use a credit card. Make sure to bring two forms of ID, though. Just kidding. You no longer have an identity.”
A 15 percent off sale and coupons to encourage upselling? That sounds less like a punishment and more like a promotion.
It’s important for people to try and read the full 44-page settlement or at least peek at our summary of the key settlement points. That’s because TJX makes a lot of generous-sounding moves?such as paying consumers who were wronged, paying them an hourly fee for time spent and making security improvements?but it’s in the details where those offers fall down.
Yes, consumers are being paid, but very little and only in the form of what amounts to limited TJX gift certificates. Some consumers will be getting paid an hourly fee for the time they spent chasing their lost identities, but only $10/hour and there are a healthy list of restrictions.
Yes, the security improvements are going to be documented, but the industry will never know those details. The attorneys in charge of that security oversight indeed could conclude that the security improvements are insufficient, which would kill the deal and, by the way, their $6.5 million fee. Not that that would influence them at all. After all, the plaintiff lawyers are in it to improve security conditions and not to merely make a buck, right?
If TJX was serious about this settlement and their improvements, they would be much more forthright about how they believe the incident began and what their security looked like at the time. If security is the only reason for the secrecy, surely it wouldn’t hurt to get specific about the systems that used to be in place. It’s not difficult to be explicit about what was being done and simply not reveal the information that would still be of value to thieves.
Of course, TJX has always had this bad luck with calendar coincidences. The breach was discovered in mid-December and yet they didn’t announce it until mid-January. Was the one month silence truly needed by law enforcement or was it timed to not impact holiday sales? There’s a good argument that the timing back then was coincidental. Not an airtight argument, but a reasonable argument nonetheless.
This settlement’s announcement date raises the calendar coincidence issue again. This settlement had clearly been in the works for quite some time. Teams of lawyers don’t agree on the wording for 44-page government documents in one or two conference calls.
And yet, this statement was issued at 5:34 PM on the East Coast. On a Friday night. If one wants a story to be buried, that’s the best time and day to announce it. And if that announcement happens to be made after sundown on the eve of Yom Kippur?the holiest day of the year on the Jewish calendar?even better, if the goal is to bury the news.
Coincidence? Twice? Maybe, but I am guessing there might be a lot of atoning due from one major retailer this week.
-Marc
September 23rd, 2007 at 1:46 pm
I have to ask: did the customers whose security was breached agree to those terms or did the attorneys general in charge of the cases?
Most consumers are not stupid enough to agree to such a settlement. A consumer would know that he/she is being duped into coming back into the store to spend money in it.
However, if the settlement was accepted by the injured parties, you have to give TJX credit for their chutzpah. It appears that it worked.
September 23rd, 2007 at 5:41 pm
Editor’s Note: The answer is technically “neither.” First, this case is entirely distinct from the state Attorney General cases that are still pending. (Actually, those cases are consolidated under Massachusetts, so it’s functioning as one action.) The state AGs have no direct involvement in this case.
This deal was agreed to by the attorneys representing certain users and TJX. I am strongly assuming that most of the consumers involved were briefed and signed off. Of course, there are millions of consumers involved so it would only be the named consumers who would have had any say.
September 24th, 2007 at 2:57 pm
You’ll see some very similar “marketing” tactics from VerizonWireless in their “Campbell Class Action Settlement” from 2006
http://www.verizonwireless.com/b2c/globalText?contentType=Legal%20Notice&textId=87 .
Multiple options offered to the Class. Most involve insiginificant discounts on very high-margin accessories.
And, on top of it all, their method of submission for these settlement options was so complex, that you ended up spending $50 worth of time to receive a $10 “payoff”.
Evan – thanks for shining a big light on the games people play. Never ceases to amaze.
September 27th, 2007 at 9:33 am
I never really considered how TJX actually timed every communication to work to their advantge.
My guess is that the gift cards will be sent to customers to arrive 11/19-11/21, right before Black Friday.
Then a settlement will be announced with the state AGs will be announced Christmas Eve.
September 27th, 2007 at 10:42 am
Editor’s Note: Good thought, Eric, although I doubt they’ll have the settlement improved in time for Nov. 19. Other than that, yes, that is likely what they would have tried to do.
As for the AG settlement, that will now prove interesting. All that the AGs will actively pursuing–the last time I checked–was credit card monitoring reimbursement. Given this agreement, they might wait to see if the settlement is approved. If it is, they might just echo it.
September 27th, 2007 at 5:00 pm
It is significant that TJX is once again being secretive about the steps it is taking to secure its network since it was secretive about the breach itself. The real challenge with network security is that every new technology brings both benefits and risks and forethought must be given to those risks preferably before the technology is implemented. While there is some discussion about whether or not the breach at this retailer was wireless, and it is our opinion that it was, it is important to think about network security strategy in a global way instead of a siloed one and wireless security must be part of that strategy, whether or not you have deployed wireless. With the proliferation of wireless, wireless security is a must have not an afterthought, and it need not be an expensive and daunting task to implement.