Client Alert

Data security has become a hot business issue for non-regulated companies.

As retailers rush to implement the new Payment Card Industry Data Security Standard throughout the United States, businesses are watching a concrete example of data security failure striking the bottom line. The blossoming fallout from the TJX security breach illustrates the serious and lingering costs of recovery after a breach, as well as the need for constant vigilance in data security efforts.

TJX Companies Inc., the parent company of clothing retailers T.J. Maxx and Marshalls, continues to suffer from a massive and highly-publicized customer data breach. The breach already has cost the company millions of dollars, and TJX likely will face additional costs in the future.

On May 15th, the company announced that it took a charge of 3 cents per share ($12 million after tax) to pay for legal fees, data security upgrades and customer communications.

These expenses stem from a January admission by TJX officials that hackers had broken into the company’s payment systems and stolen 45.6 million credit and debit card numbers over a nearly two year period. In terms of sheer numbers of records, it is the largest data security compromise in U.S. history.

The recent $12 million charge for the first quarter of 2007 is in addition to $5 million spent in the previous quarter. The company also announced it expects to incur another charge of 2 to 3 cents per share in the second quarter of 2007, plus more costs loom down the road. TJX already faces several lawsuits, including a major suit from the Massachusetts Bankers Association seeking tens of millions in restitution, stemming from the customer data loss. The Federal Trade Commission also has announced it is investigating TJX.

In another sobering note, TJX's bank, Fifth-Third Bank, has been named as a defendant in some of the cases arising out of the data theft, on a theory that the bank was responsible for ensuring its merchant customers met their data security obligations.

In addition to legal liability, companies now face stricter regulation from the credit and debit card companies. The new Payment Card Industry Data Security Standard Version 1.1 took effect on Jan. 1. Merchants who accept payment cards (both credit and debit) must establish a number of security procedures including:

• Maintaining a secure computer network, which includes installing firewall configurations; 
• Protecting stored customer data; 
• Encrypting customer data when it is transmitted;
• Restricting access to customer data on a need-to-know basis;
• Regularly testing security procedures; and 
• Having a policy to address customer data security.

Nearly any business that handles confidential customer information is at risk of a data breach or theft. However, companies can learn from the TJX situation and take steps to help protect their business from similar catastrophes.

The first step is a comprehensive internal audit, which should answer questions such as, "How is classified information stored?" and "Who has access to this information?" Such an audit can provide a layer of “good faith” protection even in the event of a data breach.

A company should have its security policies and procedures checked by an outside expert to establish that the company is taking reasonable precautions to secure customer data.

Womble Carlyle has assembled a Privacy and Data Protection Team with deep experience in aiding companies with enhancing data security. If you would like to discuss these matters at greater length, please contact:

• Ted Claypoole - (704) 331-4910