[ISN] Bank Group Sues TJX over Data Breach

From: InfoSec News (alerts@private)
Date: Thu Apr 26 2007 - 01:24:58 PDT


http://www.eweek.com/article2/0,1895,2122057,00.asp

By Evan Schuman
Ziff Davis Internet
April 25, 2007

In another in a lengthy line of lawsuits against The TJX Companies 
involving the massive data breach that the company announced in January, 
the Massachusetts Bankers Association said on April 24 that it will sue 
the retail chain, accusing it of "negligent misrepresentation." The MBA 
claims that TJX's assertion that it had been "safeguarding and disposing 
of cardholder data" was false at the time it was made.

MBA CEO Daniel Forte said his association hopes to make this a much 
broader issue than one retailer and one very large data breach.

"If we're successful against TJX, the nation's major retailers will 
finally wake up to the fact that not protecting consumer data is an 
unfair trade practice and that investment in data management systems to 
protect consumers and shield consumers against fraud and identity theft 
is required," Forte said in a statement.

The Massachusetts banking group is being joined in the lawsuit by the 
Connecticut Bankers Association and the Maine Association of Community 
Banks. Those associations, according to the MBA, represent nearly 300 
banks. A handful of individual banks have also joined as co-plaintiffs. 
The MBA also said that an unspecified number of California banks may 
also join.

It's typical for plaintiffs in a class-action lawsuit to be reluctant to 
discuss how much money they're seeking because it will be greatly 
influenced by what is learned during the legal discovery process. But 
Forte did set a floor of what his association is seeking: "Suffice to 
say," Forte said, "we will be seeking to recover damages in the tens of 
millions of dollars." 

This lawsuit is different than most of the consumer class-action 
lawsuits against TJX because the damages incurred by the member banks is 
more concrete, if not as dramatic. For consumers, credit card 
zero-liability agreements are generally minimizing or eliminating 
financial losses, leaving the more nebulous time and aggravation costs 
of dealing with possible identify theft.

With the banks, though, the financial losses are able to be better 
documented. "Banks all across the nation re-issued debit cards as a 
result of the TJX data breach. Preliminary estimates of the costs vary 
from institution to institution, up to $25 dollars per card," MBA 
officials said in a statement. "This alone would run into many millions 
of dollars for banks throughout the country. Moreover, when fraud 
occurs, banks generally cover the entire fraud, replacing money in 
customer accounts to protect their customers."

Lindsey Pinkham, senior vice president of the Connecticut Bankers 
Association, pointed out that this retail data breach is going in a very 
unacceptable direction. "Retail data breaches are getting larger and 
more frequent, and we cannot continue to absorb the costs," Pinkham 
said. 

Forte also argued that Massachusetts laws will be friendlier to a data 
breach claim than some other jurisdictions where these lawsuits have 
been filed.

"There are significant differences between this case and prior data 
breach lawsuits such as the BJ Wholesale Club cases in Pennsylvania," he 
said in the statement. "We think we have an advantage trying the case 
here in Massachusetts. When the BJ's cases were argued in Pennsylvania, 
the plaintiffs did not include an unfair trade practices statutory 
claim, and Massachusetts law allows these claims.

"In fact, an unfair trade practice claim was asserted by the FTC, which 
imposed substantial conditions and requirements on their operations. In 
addition, we will seek to prove that TJX is responsible for negligent 
misrepresentation. Among other things, the company represented that it 
was safeguarding and disposing of cardholder data. These representations 
were not true and showed a lack of reasonable care and were both unfair 
trade practices and negligent misrepresentation under Massachusetts law. 
In one of the ongoing BJ's cases, unlike in Pennsylvania, a motion to 
dismiss brought by BJ's was denied in Massachusetts and the case is 
still proceeding here." 


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Apr 26 2007 - 01:40:24 PDT