Computerworld reported that HarborOne Credit Union sent TJX an invoice for the $590k it says it incurred in actual costs and damage to its reputation as a result of the retailer’s data security issues that came to light a few months ago.
I imagine that some within the CU community are saying “Yeah! Go get ’em!” My response would be a bit more muted.
Let’s not lose focus of who the real victims are here: the CARDHOLDERS, not the CU’s “brand image.” If a CU wants to try to hit up the firm with the deep pockets for damage to its reputation, fine. But who are the cardholders going to turn to recoup their “damages”? The firm that issued the card.
There’s no question that TJX should reimburse HarborOne for the actual costs incurred as a result of the data breach. But if HarborOne succeeds in recouping funds related to “reputational damage”, why shouldn’t members of CUs like JAXFCU and PriorityOne CU turn around and sue as well?
Why shouldn’t CU members at those firms ask for compensation related to the additional time and effort they must now invest to monitor and manage their credit scores and personal data (above and beyond an Equifax subscription). Not to mention the “mental anguish” they’re suffering worrying whether or not their personal data has fallen into the wrong hands.
Definitely not an easy situation to remedy. Here’s another thing I don’t get: Who made the invoice public? It doesn’t seem to be in either party’s interest for it to be made public.