The big banks are the last ones you'd expect at the courthouse window shouting, "I just won't take it anymore."
But that's exactly what happened after hackers in July 2005 broke into the computer systems of TJX Cos., the Massachusetts-based operator of TJ Maxx, Marshalls and other retail chains. During the next 17 months the hackers accessed data on at least 45.7 million customer credit and debit cards--and perhaps as many as 100 million--many of which were issued by the financial institutions that back the ubiquitous Visa and MasterCard brands.
For years, retailers have been able to dodge the privacy bullet by relying on issuing banks to make up losses to their customers from fraud-induced credit and debit card losses. Still, it's hard to dodge bullets when about 45.7 million of them are ricocheting in your direction. This time the banks decided they'd had enough. They sued TJX, alleging the retailer's security practices were deficient.
"This litigation indicates that the major banks and credit card companies have drawn a line in the sand that says they won't take the loss when alleged deficiencies in retailers' security causes or contributes to fraud this massive," says Steve Schneider, a partner at Mitchell Silberberg & Knupp.
In re TJX Companies Retail Security Breach Litigation wasn't the first case in which credit card issuers sued retailers. But on Oct. 12, 2007, it became the first case on the federal level to survive a motion to dismiss. By early December, TJX had ponied up $40.9 million to settle with banks whose transactions went through Visa's proprietary network. But claims processed on MasterCard, American Express and Discover networks remained unresolved.
"The magnitude of the claim suggests the likelihood of a settlement, even though in my opinion the negligent misrepresentation claims are not the strongest ones I could imagine," Schneider says.
What the issuing banks do have going for them is that for a number of years they have been encouraging retailers to upgrade their security systems.
Lawyers for TJX, however, argue that the operating regulations are confusing and only came into effect in 2005 before changing in 2006. But whether or not the case settles, the privacy environment will never be the same.
"TJX tells me that banks are now going to assume a regulatory position over enforcement of retailers' privacy policies," says Michael Mallow, a partner with Loeb & Loeb. "The banks are well-funded enough to do that and they have enormous amounts at stake."
Still, overseeing retailers' privacy practices is a difficult undertaking, if only because data collection and privacy laws vary from state to state. So for many retailers, less may be more from a data collection perspective.
"I advise clients not to keep credit card data under their control unless it is absolutely necessary to do so," Mallow says. "And that's the direction in which credit card companies are moving too."
There's little doubt that TJX will hasten the process.