By Evan Schuman
Ziff Davis Internet
April 25, 2007
In another in a lengthy line of lawsuits against The TJX Companies
involving the massive data breach that the company announced in January,
the Massachusetts Bankers Association said on April 24 that it will sue
the retail chain, accusing it of "negligent misrepresentation." The MBA
claims that TJX's assertion that it had been "safeguarding and disposing
of cardholder data" was false at the time it was made.
MBA CEO Daniel Forte said his association hopes to make this a much
broader issue than one retailer and one very large data breach.
"If we're successful against TJX, the nation's major retailers will
finally wake up to the fact that not protecting consumer data is an
unfair trade practice and that investment in data management systems to
protect consumers and shield consumers against fraud and identity theft
is required," Forte said in a statement.
The Massachusetts banking group is being joined in the lawsuit by the
Connecticut Bankers Association and the Maine Association of Community
Banks. Those associations, according to the MBA, represent nearly 300
banks. A handful of individual banks have also joined as co-plaintiffs.
The MBA also said that an unspecified number of California banks may
It's typical for plaintiffs in a class-action lawsuit to be reluctant to
discuss how much money they're seeking because it will be greatly
influenced by what is learned during the legal discovery process. But
Forte did set a floor of what his association is seeking: "Suffice to
say," Forte said, "we will be seeking to recover damages in the tens of
millions of dollars."
This lawsuit is different than most of the consumer class-action
lawsuits against TJX because the damages incurred by the member banks is
more concrete, if not as dramatic. For consumers, credit card
zero-liability agreements are generally minimizing or eliminating
financial losses, leaving the more nebulous time and aggravation costs
of dealing with possible identify theft.
With the banks, though, the financial losses are able to be better
documented. "Banks all across the nation re-issued debit cards as a
result of the TJX data breach. Preliminary estimates of the costs vary
from institution to institution, up to $25 dollars per card," MBA
officials said in a statement. "This alone would run into many millions
of dollars for banks throughout the country. Moreover, when fraud
occurs, banks generally cover the entire fraud, replacing money in
customer accounts to protect their customers."
Lindsey Pinkham, senior vice president of the Connecticut Bankers
Association, pointed out that this retail data breach is going in a very
unacceptable direction. "Retail data breaches are getting larger and
more frequent, and we cannot continue to absorb the costs," Pinkham
Forte also argued that Massachusetts laws will be friendlier to a data
breach claim than some other jurisdictions where these lawsuits have
"There are significant differences between this case and prior data
breach lawsuits such as the BJ Wholesale Club cases in Pennsylvania," he
said in the statement. "We think we have an advantage trying the case
here in Massachusetts. When the BJ's cases were argued in Pennsylvania,
the plaintiffs did not include an unfair trade practices statutory
claim, and Massachusetts law allows these claims.
"In fact, an unfair trade practice claim was asserted by the FTC, which
imposed substantial conditions and requirements on their operations. In
addition, we will seek to prove that TJX is responsible for negligent
misrepresentation. Among other things, the company represented that it
was safeguarding and disposing of cardholder data. These representations
were not true and showed a lack of reasonable care and were both unfair
trade practices and negligent misrepresentation under Massachusetts law.
In one of the ongoing BJ's cases, unlike in Pennsylvania, a motion to
dismiss brought by BJ's was denied in Massachusetts and the case is
still proceeding here."
Subscribe to InfoSec News