Rhode Island Attorney General The Latest Headache For TJX

Written by Evan Schuman
February 5th, 2007

In the almost daily saga of the TJX data breach, the attorney general for Rhode Island has launched an investigation into what executives at the $16 billion retail chain knew and when did they know it.

The investigation?technically, a Civil Investigative Demand (CID) on the authority of both Rhode Island?s Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005?will likely begin in earnest with its first meeting with TJX officials on Feb. 12 at the Attorney General’s office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe.

Both Murray and the department’s public information officer, Michael Healey, said the next stages will be dictated by the facts uncovered during the probe. Typically, though, state AG offices usually seek compensation for state residents who are trying to defend themselves against identity theft, including credit report costs and possibly money to pay for help processing such claims.

But if conduct established in the probe is severe enough, more substantial options?including a civil lawsuit and possibly criminal charges?could be considered. One key concern, Murray said, is the month-long delay after the breach’s discovery but before it was announced. Rhode Island law requires that impacted consumers shall be notified “immediately.” Unfortunately, Murray said, the statute does not define “immediately.” Although no announcements have been made, the national nature of TJX’s chain makes it likely that other states may want to conduct their own probes.

The Rhode Island announcement was just the latest in a string of bad news for TJX since it announced in mid-January that it had exposed its customers’ credit card, debit card and other personal information to unspecified intruders. TJX has been criticized for revealing virtually no specifics about what happened, when it happened and how it had gone undetected from May 2006 through mid-December 2006. There have also been at least two class-action lawsuits filed plus more lawsuit threats from banks and a congressional request for a probe by the Federal Trade Commission.

That kind of uncertainty played a large role in prompting financial analyst firm CL King & Associates to downgrade TJX to neutral from “strong buy.”

?Based on our diminished EPS outlook for FY07, we believe an investment in TJX is likely to be dead money at this point,? said the firm?s research advisory.

Much of the firm?s concerns are about whatever the next shoes are to drop, especially involving the cost of dealing with the unknown. ?Regarding FY07 expenses related to the data breach, the company stated it is not yet able to reasonably estimate the losses it may incur. Management stated it is unlikely to be able to reasonably estimate such losses at the time earnings are released in FY07,? the advisory said. ?The ongoing expense issue includes legal costs, exposure to credit and debit card companies and banks, related fees and expenses, and other possible liabilities.?

Another piece of bad news came on Monday from a report in the Chosun Ilbo, a major Korean newspaper. It reported that the ?private data of around 10,000 Koreans who use credit cards associated with Visa, MasterCard and American Express was stolen? in the TJX incident. It also pegged the size of the full databreach as “40 million card users” and attributed it to “the credit card industry.” Thus far, TJX has not specified a number of victims.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.