TJX Subjects Millions of Customers to Possible Identity Theft

TJX Cos. Owners of the stores T.J. Maxx and Marshalls, yesterday said computer hackers may have accessed its consumer data in 2005, a year earlier than previously thought, potentially exposing millions more customers of stores such as to identity theft.^[1] A month ago they also reported that credit and debit-card information dating back to 2003, along with some driver's license data, may have been also been compromised. Customers have reported fraudulent use, and the company faces a shark-tank of lawyers representing the individuals and banks that issued the cards.^[2]

The company declined to say how many more customers could be affected, and they do not know if the people responsible for the 2005 breach are the same hackers who broke into the system in 2006.^[3] Yesterday, TJX also said some customer transaction data at stores in the United States, Puerto Rico, and Canada from January 2003 through June 2004 were compromised, beyond its past reports of problems; they also found “evidence of an intrusion" to systems that process transactions for its British and Irish TJ Maxx stores.^[4]

Assuming these crimes were committed in the U.S. the individuals responsible will most likely be charged under 18 U.S.C. § 1029(a)(5), which makes it a crime for a person to knowingly and with intent to defraud, effect a transaction with a credit or debit-card that has been issued to someone else, to receive anything of value worth more than, in the aggregate, US$1,000.^[5] Punishment for a violation of this section is a fine, imprisonment for up to 15 years, or both.

However if the perpetrators are outside of the U.S. jurisdiction must be found before the U.S. can prosecute them. The extraterritorial jurisdictional statement for this offense is in two parts. It states that any person outside the United States, who commits an act in violation of section 1029(a), will be subject to the fines, penalties, imprisonment, or forfeiture proscribed in the statute provided; the offense involves an debit- or credit-card issued or controlled by a financial institution, or other such entity within the jurisdiction of the United States;^[6] and the person transports, delivers, conveys, transfers to or through, or otherwise stores, secrets, or holds within the jurisdiction of the United States, any article used to assist in the commission of the offense or the proceeds of such offense or property derived therefrom.^[7]

The other possible charge could be found under 18 U.S.C. §1030(a)(2) which makes it a crime to intentionally accesses a computer without authorization or to exceed authorized access, in order to obtain;
information contained in a financial record of a financial institution, or of a card issuer,^[8] or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act.^[9]
information from any department or agency of the United States; or
information from any protected computer if the conduct involved an interstate or foreign communication.

The punishment for a violation of this section is a fine or imprisonment for not more than 5 years, or both, if the offense was committed for purposes of commercial advantage or private financial gain;^[10] if the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State;^[11] or if the value of the information obtained exceeds $5,000.^[12]

---

^[1] Ross Kerber, TJX says theft of data may go back to 2005, Boston Globe, February 22, 2007
^[2] Id.
^[3] Id
^[4] Id.
^[5] 18 U.S.C. § 1029(c)(A)(ii)
^[6] Id. at § (h)(1)
^[7] Id. at § (h)(2)
^[8] This is defined in 15 U.S.C. §1602 (n).
^[9] 15 U.S.C. §1681 et seq.
^[10] 18 U.S.C. §1030 (c)(2)(b)(i)
^[11] Id at § (c)(2)(b)(ii)
^[12] Id at § (c)(2)(b)(iii)