TJX Cos. said that it reached a tentative settlement with customers who were victims of the largest security breach of personal data ever reported and that it would provide store vouchers to some people whose data were compromised and a three-day sale for all customers.
The deal in the class-action lawsuit, disclosed by TJX of Framingham late yesterday, still requires court approval and would not resolve claims TJX faces from banks that had to reissue many credit and debit cards compromised in the breach. TJX is the parent of popular stores such as TJ Maxx and Marshalls.
At least 45.7 million credit and debit card numbers were stolen from TJX by hackers who accessed the company's computer systems. TJX has said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked.
The settlement offers shoppers more generous terms than TJX had previously provided and could resolve uncertainty facing the company over the intrusion, in which hackers were able to penetrate its computer systems for more than a year until the breach was detected in December.
"We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system," TJX chief executive Carol Meyrowitz said in a statement. "Importantly, we truly appreciate our customers' continued patronage. TJX has been working diligently to reach a settlement that offers a good resolution for our customers."
Attorneys for the consumers did not return messages yesterday evening. Archie C. Lamb Jr., the Birmingham, Ala., lawyer who is lead counsel for the banks in the case, said he hadn't yet been able to review the settlement to discuss it in detail.
Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego consumer group, said she frowns on discounts to settle breach lawsuits since they tend to drive up business and so "aren't an effective penalty." But she said TJX deserves credit for recognizing that breaches can cost customers many hours to take steps such as canceling credit cards.
Specifically TJX said it would offer store vouchers worth around $30 to certain customers who could show they lost time or money to deal with the breach, valuing their time at $10 per hour. TJX also said it will hold a three-day "customer appreciation" sale featuring 15 percent discounts in its stores in the United States and Canada.
Also, TJX previously had offered one year of credit monitoring and identity theft insurance to customers whose Social Security numbers were believed stolen. The tentative deal would also offer three years of credit monitoring and several years of identity theft insurance to about 455,000 customers who had returned merchandise to TJX without receipts, making them more vulnerable to the breach. In addition, TJX now will offer reimbursements to people who had to replace compromised driver's licenses.
TJX did not disclose the exact cost of the proposed settlement but said it was within the parameters of its previous estimates, which put total costs at $256 million.
TJX said the settlement would cover all customer class-action suits in the United States, Puerto Rico, and Canada with respect to the intrusions. A consolidated suit in US District Court in Boston had accused TJX of negligence, breach of contract, and other violations in connection with its security practices.
In its statement TJX said it denies the claims and allegations, but it "has concluded that further legal activity would be time consuming and expensive, making it desirable that the actions be settled."
TJX spokeswoman Sherry Lang said the company doesn't expect a court ruling on the settlement until the spring.
Ross Kerber can be reached at firstname.lastname@example.org.