[ISN] Mass. credit union bills TJX $590k for breach-related costs

From: InfoSec News (alerts@private)
Date: Wed Jun 06 2007 - 22:21:09 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023778

By Jaikumar Vijayan
June 06, 2007 
Computerworld

HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies 
Inc. an invoice for $590,000 for what the financial institution says it 
incurred in actual costs and reputational damage as a result of the data 
compromise disclosed by the retailer in January.

The bill was sent to TJX on April 30, but the company so far has not 
responded or commented on it in any fashion, said James Blake, the 
president and CEO of the 100,000-member, $1.4 billion credit union.

"The bill was for both direct operational costs that we incurred 
reissuing new debit cards to our customers, as well as the costs to us 
from a reputational standpoint," he said. According to Blake, the TJX 
breach resulted in HarborOne having to block and reissue about 9,000 
cards at a cost of around $90,000. The remaining $500,000 is what Blake 
believes the breach cost the credit union in terms of brand damage.

"We had to notify customers of the fact that their account was breached. 
There were some questions on their part whether or not we were 
responsible [for the breach] when in fact it was TJX's responsibility," 
Blake said.

Rather that pursue a formal lawsuit against TJX for the amount, 
HarborOne has decided to give TJX a chance to do the "morally" right 
thing he said. "Whether they will is another issue. They have chosen not 
to respond to any of our communications. They have run from the problem 
from the very beginning."

According to Blake, in the last year alone, HarborOne has had to reissue 
debit cards more than 30 times to customers as a result of data breaches 
at various retailers. "You can understand why we are a little upset 
about this," he said.

A spokesperson from TJX did not immediately respond to a request for 
comment.

HarborOne's action comes amid growing pressure from credit unions and 
other financial institutions around the country to get retailers to take 
financial responsibility for data compromises. Credit union associations 
in various states are vigorously lobbying lawmakers to approve bills 
that would require retailers to implement stronger data-security 
measures and to reimburse costs associated with reissuing payment cards 
after a breach.

One such bill is the Plastic Card Security Act that was signed into law 
in Minnesota last month after being actively pushed by the Minnesota 
Credit Union Network. And the California Credit Union League is now 
pushing a bill similar to the one in Minnesota. Other states, including 
Texas and Connecticut, have considered similar proposals recently.

Blake, who is the chairman of the Massachusetts Credit Union League, 
welcomed such proposals but said such measures need to be considered at 
the federal level.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 06 2007 - 22:36:12 PDT