It might seem like I’m harping on the TJX/TJ Maxx data breach and its repercussions. But I think the incident is rapidly becoming the golden case study on the ripple effects of a single data breach.

Having gone through the now predictable process – discover the breach, remain quiet while you figure out what to do about it, announce the impact of the breach with a little information at a time, spin the incident in the most positive way possible etc. – TJX is now facing what was expected to be the next logical step in any serious data breach, the lawsuits.

On Monday one of TJX’s largest shareholders announced that it was suing the company in an effort to force TJX to provide more information about the data breach and the real extent of the losses. So far, TJX has refused to admit exactly how many customers were affected by the breach.

And in the spirit of death by a thousand self inflicted cuts, police investigating the use of data stolen in the breach claim that they notified TJX in November 2006, while TJX has always claimed that they only found out in December and notified the public in mid January.

It’s becoming clear that how you handle an incident may be more important than the incident itself, and that always the customers and victims are always the last to know. Maybe a series of class-action lawsuits representing the interests of customers might be on the horizon, and a warning to other companies to focus on what really matters.