The big banks are the last ones you'd expect at the courthouse window shouting, "I just won't take it anymore."
But that's exactly what happened after hackers in July 2005 broke into the computer systems of TJX Cos., the Massachusetts-based operator of TJ Maxx, Marshalls and other retail chains. During the next 17 months the hackers accessed data on at least 45.7 million customer credit and debit cards--and perhaps as many as 100 million--many of which were issued by the financial institutions that back the ubiquitous Visa and MasterCard brands.
For years, retailers have been able to dodge the privacy bullet by relying on issuing banks to make up losses to their customers from fraud-induced credit and debit card losses. Still, it's hard to dodge bullets when about 45.7 million of them are ricocheting in your direction. This time the banks decided they'd had enough. They sued TJX, alleging the retailer's security practices were deficient.
"This litigation indicates that the major banks and credit card companies have drawn a line in the sand that says they won't take the loss when alleged deficiencies in retailers' security causes or contributes to fraud this massive," says Steve Schneider, a partner at Mitchell Silberberg & Knupp.
In re TJX Companies Retail Security Breach Litigation wasn't the first case in which credit card issuers sued retailers. But on Oct. 12, 2007, it became the first case on the federal level to survive a motion to dismiss. By early December, TJX had ponied up $40.9 million to settle with banks whose transactions went through Visa's proprietary network. But claims processed on MasterCard, American Express and Discover networks remained unresolved.
When a customer presented his or her card, TJX electronically sent the customer account information to its own bank, Fifth Third, which then used credit card networks operated by Visa and MasterCard to transmit the information for authorization to the card-issuing bank. Visa and MasterCard require retailers to secure cardholder information, and Fifth Third had contracts with Visa and Mastercard that required the bank to comply. In turn Fifth Third had a contract with TJX requiring it to comply.
Between July 2005 and December 2006, computer hackers captured card data from transactions passing through TJX computers using a data-capturing program known as a "sniffer" and used the stolen information to make fraudulent purchases. The issuing banks say as many as 100 million cards were affected. TJX puts the number at 47.5 million.
Millions of affected consumers banded together in a class action against TJX and Fifth Third. The case has settled "in principle," but details of the settlement were unknown at press time.
The settlement didn't pacify the issuing banks, however, which had suffered financially as a result of the fraudulent transactions and the need to replace the compromised cards. They filed their own suit, alleging TJX and Fifth Third failed to take appropriate steps to safeguard cardholder information. The plaintiffs' filings indicated that losses from Visa cards alone approached $83 million.
The defendants moved to dismiss, and Judge William Young of the U.S. District Court for the District of Massachusetts followed precedent in dismissing the claims based on breach of contract. He ruled that the contractual agreements ensuring the safety of customer data were between the retailers and the credit card associations, to which the issuing banks were not parties.
But that wasn't the end of it. Young noted that although they had no "direct contact with the issuing banks, TJX and Fifth Third knew that the issuing banks were part of a financial network that relies on members taking appropriate security measures."
This knowledge exposed the defendants to the plaintiffs' claims for negligent misrepresentation. These claims allege that TJX and Fifth Third made implied representations to the issuing banks that they took the security measures required by industry practice to safeguard the personal and financial information of the customer cardholders.
"The question then is what reliance the issuing banks actually placed on the representation and whether that reliance is justified," Schneider says.
Young said these questions are matters for a jury to decide and ordered the claims for negligent misrepresentation to trial. Whether they actually get there, however, is open to question.
"The magnitude of the claim suggests the likelihood of a settlement, even though in my opinion the negligent misrepresentation claims are not the strongest ones I could imagine," Schneider says.
What the issuing banks do have going for them is that for a number of years they have been encouraging retailers to upgrade their security systems.
Lawyers for TJX, however, argue that the operating regulations are confusing and only came into effect in 2005 before changing in 2006. But whether or not the case settles, the privacy environment will never be the same.
"TJX tells me that banks are now going to assume a regulatory position over enforcement of retailers' privacy policies," says Michael Mallow, a partner with Loeb & Loeb. "The banks are well-funded enough to do that and they have enormous amounts at stake."
Still, overseeing retailers' privacy practices is a difficult undertaking, if only because data collection and privacy laws vary from state to state. So for many retailers, less may be more from a data collection perspective.
"I advise clients not to keep credit card data under their control unless it is absolutely necessary to do so," Mallow says. "And that's the direction in which credit card companies are moving too."
There's little doubt that TJX will hasten the process.