TJX Allocates $2.60 Per Compromised Card

What is your time and peace of mind worth? How much would you expect in return for having to get your credit cards re-issued and diligently monitor your credit report and be leary of identity theft for who-knows-how-long? TJX figures that $2.60 ought to do the trick. I don't know about you, but my time is worth more than that. I wasn't affected. But, if I was, even if I only had to invest an hour a month for the next year to monitor and maintain my credit, I would expect compensation more in the neighborhood of $1,200. When the Veteran's Administration lost a hard drive with information on 26.5 million veterans, there was talk of paying $1,000 to each person who had proof of being affected.

If we applied that to TJX and assumed that 10% of the compromised credit cards actually lead to stolen identities or fraudulent credit card charges, that would put TJX on the hook for more like $4.5 billion. They paid out an estimated $11 million for security services to investigate and remediate the breach, and they have set aside a whole $107 million to cover their projected cost of pending lawsuits. Some analysts (possibly with a "sky is falling" axe to grind) projected TJX losses could be in the billions. Many on both sides of the PCI compliance fence watched to see if the payment card industry would make an example of TJX or look the other way. The net effect to TJX has been minimal.

Given the circumstances though, I would say that the results TJX seem to be getting are pretty much a best-case scenario. Shoppers are still shopping. Stockholders are still holding stock. Penalties and litigation will apparently cost only $118 million, a mere 1% of the the high-end projections. All in all, there is very little impact to TJX (at least thus far) as a result of their carelessness and non-compliance with the PCI Data Security Standard. For more details, you can read this article from The Register.