According to this article from ComputerWorld TJX has proposed to settle consumer class actions arising from its massive data breach earlier this year. As part of the settlement, TJX would provide credit monitoring, identity theft insurance, and payment of the cost of credit card replacement for individuals whose personal data may have been stolen during the breach. The company would also agree to hold a 15% off sale at some point in the next year, and to pay for "certain losses from identity theft" for individuals whose driver's license or other ID numbers were the same as their Social Security numbers.
The questions now are whether consumers should take the settlement, and whether the court should bless it as fair. At first blush, it seems like the settlement is almost an insult. After all, large retailers routinely hold sales with discounts greater than the 15% off that TJX is offering, and it is not clear what the "certain losses from identity theft" that TJX would agree to cover would actually entail. On the other hand, the credit monitoring, card replacement and free identity theft insurance are real benefits. True, it might seem like paying these costs is the least TJX should do, but when consumers have tried to use courts to force those payments out of companies which have had a security breach they have generally been unsuccessful. For example, this post discusses a case from the seventh circuit where consumers were thrown (figuratively) out of court because the judges decided that damages from fear of future identity theft weren't real enough to be used as a basis for compensation - even compensation for the cost of credit monitoring. Thus, while the settlement from TJX may seem like a bargain, it could be the best that the consumer plaintiffs can reasonably expect.