TJX Companies Retail Security Breach Litigation
In 2007, Berger & Montague filed a class action suit on behalf of all consumers in the U.S. whose personal and financial data were stolen by computer hackers from TJX Companies, Inc. (“TJX”). Berger & Montague was one of three Co-Lead Counsel appointed by the Court.
The complaint alleged that TJX was negligent for failing to maintain adequate data security of customer data. The stolen information included: (i) credit and debit card information for 45 million consumers; and (ii) drivers’ license, military ID, and state ID numbers with accompanying names and addresses for 455,000 consumers. Drivers’ license numbers in many instances matched the individuals’ Social Security numbers. The data breach was reportedly the then-largest computer theft of personal data in history.
A settlement was reached in 2008 valued at over $200 million. Settlement benefits included: (i) two years of credit monitoring and identity theft insurance offered to the 455,000 individuals whose driver’s license and other ID numbers were exposed (a value of $390 per person based on the retail cost for this service); (ii) a $17 million fund offered to the 45 million cardholders to reimburse identity theft losses, out of pocket costs, and lost time to mitigate or correct actual or potential identity theft; and (iii) injunctive relief regarding improvements to TJX’s data security systems. These elements became the template for many subsequent data breach settlements. In approving the settlement, former Chief Judge William Young praised the result as an “excellent settlement” containing “innovative” and “groundbreaking” elements.