The investigation?technically, a Civil Investigative Demand (CID) on the authority of both Rhode Island?s Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005?will likely begin in earnest with its first meeting with TJX officials on Feb. 12 at the Attorney General's office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe.
Both Murray and the department's public information officer, Michael Healey, said the next stages will be dictated by the facts uncovered during the probe. Typically, though, state AG offices usually seek compensation for state residents who are trying to defend themselves against identity theft, including credit report costs and possibly money to pay for help processing such claims.
But if conduct established in the probe is severe enough, more substantial options?including a civil lawsuit and possibly criminal charges?could be considered. One key concern, Murray said, is the month-long delay after the breach's discovery but before it was announced. Rhode Island law requires that impacted consumers shall be notified "immediately." Unfortunately, Murray said, the statute does not define "immediately." Although no announcements have been made, the national nature of TJX's chain makes it likely that other states may want to conduct their own probes.
The Rhode Island announcement was just the latest in a string of bad news for TJX since it announced in mid-January that it had exposed its customers' credit card, debit card and other personal information to unspecified intruders. TJX has been criticized for revealing virtually no specifics about what happened, when it happened and how it had gone undetected from May 2006 through mid-December 2006. There have also been at least two class-action lawsuits filed plus more lawsuit threats from banks and a congressional request for a probe by the Federal Trade Commission.
That kind of uncertainty played a large role in prompting financial analyst firm CL King & Associates to downgrade TJX to neutral from "strong buy."
?Based on our diminished EPS outlook for FY07, we believe an investment in TJX is likely to be dead money at this point,? said the firm?s research advisory.
Much of the firm?s concerns are about whatever the next shoes are to drop, especially involving the cost of dealing with the unknown. ?Regarding FY07 expenses related to the data breach, the company stated it is not yet able to reasonably estimate the losses it may incur. Management stated it is unlikely to be able to reasonably estimate such losses at the time earnings are released in FY07,? the advisory said. ?The ongoing expense issue includes legal costs, exposure to credit and debit card companies and banks, related fees and expenses, and other possible liabilities.?
Another piece of bad news came on Monday from a report in the Chosun Ilbo, a major Korean newspaper. It reported that the ?private data of around 10,000 Koreans who use credit cards associated with Visa, MasterCard and American Express was stolen? in the TJX incident. It also pegged the size of the full databreach as "40 million card users" and attributed it to "the credit card industry." Thus far, TJX has not specified a number of victims.