PITTSBURGH, Pa. -- The Pennsylvania Attorney General has decided that the data security breach at TJX is big enough that it has obviated a Pennsylvania law that required businesses with data breaches to notify cardholders that the card data had been compromised, according to a story in the Pittsburgh Post-Gazette.
The Attorney General's office did not release a statement about the breach.
The new law, which took effect in the middle of 2006, requires businesses to let consumers know by telephone, letter or e-mail if their data has been stolen, but the AG said that no statements are required if the breach involves more than 175,000 people or if the cost of notification would be more than $100,000. In those cases, businesses are to use their Web sites and the media to alert consumers.
Both criteria appear to have been met in the TJX case and the company appeared to have satisfied the law by posting a statement on its Web site and sending press releases to media outlets.