2006 computer intrusion at level 1 retailer TJX Inc. may have far-reaching consequences. Based in Massachusetts, TJX Inc. announced in January it had discovered an intrusion into its computer system and the theft of credit card data. The resulting fraud gives impetus to a proposal in that state's legislature that would make retailers liable for issuing- banks' expenses.

Separate class action suits were filed by cardholders and AmeriFirst Bank less than two weeks after the incident was reported. AmeriFirst, which also named TJX's acquirer Fifth Third Bank as a defendant, asserted that TJX's one-month delay in making the incident public left banks open to fraudulent transactions during that time.

The suit states that Visa U.S.A. has estimated the number of affected cards could exceed the 40 million exposed in the 2005 breach at CardSystems Solutions. AmeriFirst put the cost to reissue each compromised card at $20. The Massachusetts Bankers Association, which promotes liability legislation, said the cost ranges from $3 to $15 per card.

Several banks reported fraudulent charges resulting from the data theft, the MBA disclosed in late January. Those charges originated in Hong Kong and Sweden, as well as three southeastern states.

Visa is working with law enforcement and TJX to investigate the compromise, which affected all major card brands, Visa reported. The Association is risk-scoring all account transactions in real time.

MasterCard Worldwide spokesperson Chris Harrall stated in an e-mail that the company could not provide specifics on the investigation. However, TJX, which MasterCard classifies as level 1, "was not PCI compliant at the time of the breach, as reported by its acquirer."

Specter of legislation

Massachusetts Rep. Michael A. Costello had already proposed the state legislation when the computer breach was disclosed by TJX. The MBA helped craft the law, which would allow the commonwealth's banks to pass their actual costs to any company that exposes bankcard data, said Costello Aide Adam Martignetti. The TJX security breach highlights the need for such legislation, he added.

The bill's wording does not single out retailers, said Bruce E. Spitzer, Communications Director for the MBA. "It could be a retailer, a processor or a bank," he added. The provision is good for consumers, "because if companies know [they face liability], they will invest in better systems," he added.

Proposing to make companies who lose control of card data responsible for bank costs is unique to Massachusetts. However, the association has also lobbied U.S. House Financial Services Committee Chairman Barney Frank (D-Mass.) to consider federal legislation, Spitzer said.

Frank may be receptive to the idea. He released a statement saying the TJX breach "is further evidence of the need for a provision. ... Specifically, this means retailers or wholesalers must take responsibility" for data breaches.

National Retail Federation Senior Vice President Mallory Duncan said, "The focus should really be on how we stop and prosecute the criminals, instead of trying to shift the costs back and forth among parties in the system."

Substantial repercussions

Pointing out that even Department of Defense systems have been breached, Duncan said, "There is no unhackable system. We've got to make sure it's not about shifting costs, but making sure everyone's doing their due diligence."

The MBA disclosed in late January that 60 member banks had been notified by Visa and MasterCard of compromised accounts, with the number of affected issuing banks likely to grow, Spitzer said.

"We've been very aggressive in our response, because it's a huge reputation risk for our banks," Spitzer said. "The costs are going to be substantial. ... Visa and MasterCard aren't paying for it.

"The extent of this breach is not going to be covered by interchange," he added.

Fifth Third spokesperson Stephanie L. Honan said Fifth Third is not the only acquiring bank providing services to TJX.

"From an issuer standpoint, we'll continue to monitor the cards, look for fraud and directly communicate with customers that have been affected." TJX did not respond to The Green Sheet's phone calls regarding this matter.