Filling in gaps on the data breach

A week ago, TJX Cos., the Framingham retailer that runs T.J. Maxx, Marshalls, and other stores, disclosed a security breach that exposed millions of customer credit and debit card numbers. Since then, there have been more questions than answers about the incident, which could rank as the biggest loss of personal data. Here are some answers to lingering issues:

Q. Why do retailers keep credit card numbers on file?

A. Most merchants have technology to capture transactional information, including credit and debit card numbers, and driver's license numbers for checks. They're required to keep that as part of their business records and proof of purchase, according to Karl Bjornson , a retail specialist with consultancy Kurt Salmon Associates.

Stores need to be able to tie the customer to the credit card payment system so they can collect the money, Bjornson said, and have the data if customers or banks challenge a charge.

Q. Should consumers store their credit or debit card numbers electronically with online retailers such as Amazon?

A. "I would never do that," Bjornson said. "I don't trust anyone with my credit card numbers."

Q. Will TJX notify credit and debit customers whose numbers have been stolen in this breach?

A. TJX says names and addresses of customers are not processed or stored with debit and credit card numbers when sales are made. The company is providing the credit card companies, banks, and processing entities with information, including the credit and debit card numbers identified as having been stolen, so they can follow up with their customers.

TJX plans to directly contact customers whose names and driver's license numbers were taken from the company's computer network.

Q. If there are fraudulent charges, consumers are only liable for up to $50 under Massachusetts laws. Who is responsible for the rest?

A. Visa and MasterCard have zero liability policies so customers often don't pay anything for the fraud charges, according to Bruce Spitzer of the Massachusetts Bankers Association. Banks typically absorb the costs to reissue cards and settle fraud charges.

Q. What are banks and credit card companies doing to deal with the security breach?

A. Financial institutions, including Bank of America and Sovereign Bank, say they are trying to determine the scope of the problem and investigate reports of suspected fraudulent use.

It is a manual process to go through the claims, and it takes time to determine the source, Spitzer said.

At least 50 of the association's 205 member banks have been contacted about potentially compromised cards and the number is likely to rise, Spitzer said. Mutual Bank of Whitman already deactivated 1,000 debit cards .

Q. Will banks end up suing TJX to recover fraud charges?

A. "It's too soon to tell," Spitzer said.

Q. Did TJX violate any regulations by waiting a month to disclose the security breach?

A. Unless it could be shown that TJX knew disclosing the information would be material to the market for its stock or financial results, the company probably did not violate financial regulations , said Neil Aronson , a partner with Boston law firm Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo.

But in this post-Enron-WorldCom-stock-option-backdating world, Aronson said the Securities and Exchange Commission has been acting very aggressively and leaning on companies to make disclosures even though they're not required. "When in doubt, disclose" has been the motto, Aronson said.

A TJX spokeswoman, Sherry Lang, said the company's decision was based on business concerns and a request from law enforcement investigating who had hacked into TJX's systems. "We moved quickly and acted promptly," said Lang. "We felt by holding off from mid-December, we were protecting our customers, and it was the wise and well-advised thing to do."

Q. Will this affect TJX earnings?

A. Patrick McKeever , an analyst with Avondale Partners, a Nashville investment banking firm, said there will likely be an effect in the fourth quarter, primarily on the expense line because TJX has had to bring in consultants -- IBM Corp. and General Dynamics Corp. -- to help the company install safeguards.

There probably will be a charge against earnings to set up a liability reserve. Other retailers, such as DSW Inc., that have had data breaches have seen it cost as much as $10 million. "My sense is that TJX could be bigger than what we've seen before," McKeever said.

Lang, the TJX spokeswoman, said: "We are not putting a cost number around this issue at this time."

But there's also potential for customer loss. "It's a high profile case with a high profile company," McKeever said. "They have a pretty savvy customer who is aware of what's going on."

Q. Are lawmakers doing anything to try to protect consumers?

A. Massachusetts lawmakers plan to reintroduce legislation that would require companies to securely maintain sensitive consumer data and to notify consumers within five business days if a breach occurs.

Q. TJX is not saying much after the incident. Is this unusual? How have others handled similar data losses?

A. Every company is going to handle it differently and the response can be driven by the size and complexity of the problem. Also, while investigating, law enforcement may ask companies to limit their comments, said Bjornson of Kurt Salmon Associates.

But when DSW had a similar problem several years ago, Bjornson said, the discount shoe merchant was pretty quick to get the word out, notify customers, and provide an update on the size of the breach. "There's a real issue from a credibility standpoint -- as soon as retailers are aware, they have an obligation to report it," he said.

Lang said there's a reason the company hasn't provided more detail on the effect on customers. "We have not put numbers around this yet. If we are able to, we will, but our review is continuing, and we don't want to put numbers out there and then continually revise," she said.

Jenn Abelson can be reached at abelson@globe.com.