InsideCounsel » January 2008
Credit Card Cos. Target Retailers’ Security Holes
The big banks are the last ones you’d expect at the courthouse window shouting, “I just won’t take it anymore.”
But that’s exactly what happened after hackers in July 2005 broke into the computer systems of TJX Cos., the Massachusetts-based operator of TJ Maxx, Marshalls and other retail chains. During the next 17 months the hackers accessed data on at least 45.7 million customer credit and debit cards—and perhaps as many as 100 million—many of which were issued by the financial institutions that back the ubiquitous Visa and MasterCard brands.
For years, retailers have been able to dodge the privacy bullet by relying on issuing banks to make up losses to their customers from fraud-induced credit and debit card losses. Still, it’s hard to dodge bullets when about 45.7 million of them are ricocheting in your direction. This time the banks decided they’d had enough. They sued TJX, alleging the retailer’s security practices were deficient.
“This litigation indicates that the major banks and credit card companies have drawn a line in the sand that says they won’t take the loss when alleged deficiencies in retailers’ security causes or contributes to fraud this massive,” says Steve Schneider, a partner at Mitchell Silberberg & Knupp.
In re TJX Companies Retail Security Breach Litigation wasn’t the first case in which credit card issuers sued retailers. But on Oct. 12, 2007, it became the first case on the federal level to survive a motion to dismiss. By early December, TJX had ponied up $40.9 million to settle with banks whose transactions went through Visa’s proprietary network. But claims processed on MasterCard, American Express and Discover networks remained unresolved.
Negligent Misrepresentation
When a customer presented his or her card, TJX electronically sent the customer account information to its own bank, Fifth Third, which then used credit card networks operated by Visa and MasterCard to transmit the information for authorization to the card-issuing bank. Visa and MasterCard require retailers to secure cardholder information, and Fifth Third had contracts with Visa and Mastercard that required the bank to comply. In turn Fifth Third had a contract with TJX requiring it to comply.
Between July 2005 and December 2006, computer hackers captured card data from transactions passing through TJX computers using a data-capturing program known as a “sniffer” and used the stolen information to make fraudulent purchases. The issuing banks say as many as 100 million cards were affected. TJX puts the number at 47.5 million.
Millions of affected consumers banded together in a class action against TJX and Fifth Third. The case has settled “in principle,” but details of the settlement were unknown at press time.
The settlement didn’t pacify the issuing banks, however, which had suffered financially as a result of the fraudulent transactions and the need to replace the compromised cards. They filed their own suit, alleging TJX and Fifth Third failed to take appropriate steps to safeguard cardholder information. The plaintiffs’ filings indicated that losses from Visa cards alone approached $83 million.
The defendants moved to dismiss, and Judge William Young of the U.S. District Court for the District of Massachusetts followed precedent in dismissing the claims based on breach of contract. He ruled that the contractual agreements ensuring the safety of customer data were between the retailers and the credit card associations, to which the issuing banks were not parties.
