Skip to main content

More on the Real Cost of Data Breaches -- $9.75 Million

Add another $9.75 million (plus - see below) to the cost of the TJX Cos. Inc. 2006 data breach.

The company has reached a settlement with 42 states over allegations that it failed to provide adequate security for its customers. $5.5 million of the settlement will be dedicated to data protection and consumer protection efforts by the states and another $1.75 million will be used to reimburse the costs and fees of the investigation.

Massachusetts AG Martha Coakley's office led the executive committee running the investigation. In a statement, AG Coakley said, "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again." Massachusetts will get nearly $1 million in the settlement.

The parenthetical "plus" in my first paragraph refers to an additional cost included in the settlement agreement. TJX must implement major security improvements and report and must certify that its computer system meets detailed data security requirements specified by the states. The settlement also requires the company to encourage the development of new technologies to address weaknesses in the U.S. payment card system.

The other states participating in the agreement are Alabama, Arizona, Colorado, Delaware, Hawaii, Idaho, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Rhode Island, South Dakota, Texas, Washington, West Virginia, Wisconsin, and the District of Columbia.
Other links:
Florida AG's Release
Boston Herald
USA Today

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.