News item: Retailer TJX Cos. agrees to reimburse banks $40.9 million to cover costs incurred in the mother of all financial data breaches, which compromised as many as 100 million debit and credit cards.
Sound like a lot of money? I doubt TJX thinks so.
It's been nearly a year since an unprecedented security breach at the Framingham company, which operates TJ Maxx and Marshalls, was first disclosed. Soon, it became clear just how massive the intrusion had been, not just another case. Eventually, what is believed to be the simplicity of the actual theft - accessing wireless local area networks at two stores in Miami - became part of the story.
TJX seemed to be at serious risk of become a retailing piñata, to be beaten with a stick for the kind of security lapse that had become all too common across the nation. Many interests wanted to lean on the retail industry to improve data security, and this looked like an ideal example to make a stink over.
But that hasn't really happened. TJX itself has come out of the mess, to date, very well. The retail industry is making some progress on financial security, but about one out of every three big players still failed a Sept. 30 deadline set by Visa Inc. to meet new standards covering credit card safety. (TJX itself only recently said it met those standards.)
The people who could have really hurt TJX did not. Most importantly, consumers seemed to shrug it off, or at least not blame the company.
TJX sales have continued to climb higher this year. Profits from the business are OK. If customers aren't fazed, neither is Wall Street. TJX shares have roughly broken even this year, better than many other retail stocks.
The other big force that could have hurt TJX is the banking industry. Financial institutions have wrung concessions out of TJX and gone to court. But they haven't done nearly as much damage as they could have, for a very good reason.
All banks want better security for financial data. As an industry, they lean on retailers to spend more to make information safer, and the retailers lean back. Much of the argument revolves around who pays the bill.
But all banks aren't the same. Many institutions, especially smaller banks, count the consumer as their customer and end up spending a lot of money to fix problems created by security breaches far removed from their own business. They're mad.
Big banks count the retailers themselves as major customers, making millions in fees processing credit card purchases. Sure, they want better security, but don't expect them to flog important customers in public.
Consider two strikingly different legal strategies: In one, the Massachusetts Bankers Association filed a lawsuit against TJX and pursued the case tenaciously. Legislation about who pays in a security breach is still very much in the picture. This is how the smaller banks are trying to fight back.
Then there was the $40.9 million agreement made public at the end of last week. There never was a court case, so don't even think about calling it a settlement. It was reached privately by TJX, the company's processing bank, and Visa. There was no messy publicity, no embarrassing disclosures. How did they agree on $40.9 million? Who really knows? It's the holidays, let's go shopping!
TJX isn't out of the woods yet. It has other legal problems and more checks to write. But the company is weathering the storm remarkably well.
Other big retailers are doing a better job of protecting your private financial information. They just aren't setting any speed records doing it.
Steven Syre is a Globe columnist. He can be reached at syre@globe.com.
