Bankers largely have failed in their efforts to recover the costs associated with a 2004 data breach at BJ's Wholesale Club Inc., because they tried to prove breach of contract, even though they did not have a contract with the Natick, Mass., retailer.
But in a lawsuit filed last month against TJX Cos. Inc. for a breach it disclosed this year, three New England banking trade groups and several banks are suing for unfair trade practices - a claim that lawyers and industry officials say they believe could stick.
Under the claim, plaintiffs do not need to have a contract with the Framingham, Mass., retailer to prove they were damaged by its negligence, officials say. Moreover, the suit was filed in Massachusetts, which allows businesses to sue for unfair trade practices; most states let only consumers use that claim.
Suing for unfair trade practices "really does provide an avenue for businesses and consumers to vindicate their rights, that they might not be able to do using traditional contract and tort claims," said Ethan Preston, a consumer lawyer at Kamber & Associates LLC in New York. "It's good that businesses are starting to care about consumer protection. Everybody has to live with the results."
TJX, the parent company of the discount retailers T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright, disclosed in January that hackers had downloaded at least 45.7 million credit and debit card numbers it had stored on its computers since 2003. The breach is the largest in U.S. history. Some published reports, citing sources close to TJX, say as many as 200 million numbers could have been stolen.
Banks and credit unions collectively have spent millions reissuing cards and covering fraud losses from the use of card information stolen in the breach.
In response, the Massachusetts Bankers Association filed a suit on behalf of its members last month against TJX in the U.S. District Court for Massachusetts. The plaintiffs include the Connecticut Bankers Association, the Maine Bankers Association, Saugusbank in Massachusetts, Eagle Bank in Everett, Mass., and Collinsville Savings Society in Connecticut.
A spokesman for the Massachusetts group said the suit was filed in federal court because judges likely will want to consolidate all suits that are filed against TJX in response to the breach.
Charles R. Bauer, the chief technology officer at Middlesex Savings Bank in Natick, said Visa International informed the $3.3 billion-asset thrift that information from about 18,000 of its Visa debit cards had been stolen in the TJX breach.
Middlesex Savings spent more than $100,000 reissuing about 8,900 cards that were still active, Mr. Bauer said. On top of that, it has anted up about $13,000 to cover losses from fraud committed by the thieves using the stolen cards in places as far away as Italy, Australia, and Japan.
TJX, not Middlesex Savings, should bear these costs, he said.
"I think if retailers are going to participate in the processing of debit card transactions, then they should be held accountable if they do not adhere to the Payment Card Industry data security standards," Mr. Bauer said.
Merchants doing business with Visa or MasterCard Inc. are required to follow certain security standards, including installing firewalls, encrypting data, and purging cardholder data as soon as practical after processing transactions.
In the TJX breach, an auditor found that the retailer had not installed firewalls or encrypted data on many of the computers that were hacked, according to a report last week in The Wall Street Journal. Moreover, TJX had used an outdated wireless network to share data among hand-held price-checking devices, cash registers, and computers, the auditor said.
The thieves hacked into TJX's central database by pointing an antenna toward one of its stores in Minnesota to capture data streaming from the wireless network, according to the Journal. The thieves then used a laptop computer to decode the data - a relatively easy feat, because the network was outdated, the report said.
TJX also disclosed in January that the thieves had obtained a number of driver's license, military, and state identification numbers, along with customer names, addresses, and, in some cases, Social Security numbers.
Calls to TJX officials were not returned, and the retailer has not filed a response to the suit. When it disclosed the breach in January, it said it had since strengthened the security of its computer systems, but it did not say how.
Daniel J. Forte, the Massachusetts trade group's president, said in an interview last week that TJX did not "live up to its responsibility" to keep consumer data safe.
"Because of its carelessness, banks are continuing to pay for fraud losses and the reissuance of cards" as TJX uncovers more account numbers that could have been stolen, he said.
The plaintiffs are seeking to recover "tens of millions of dollars," Mr. Forte said, though the total amount of damages will not be named until the full extent of the bank losses is discovered.
The trade groups and the banks are hoping they fare better than the institutions that sued BJ's for the costs associated with its breach, he said. Hundreds of thousands of credit and debit card numbers were stolen in the BJ's breach, and the affected banks and credit unions have paid millions of dollars to reissue cards.
However, companies that filed lawsuits in Pennsylvania against BJ's, including the $82 billion-asset Sovereign Bancorp Inc. in Philadelphia; Banknorth (now TD Banknorth Inc., a $40 billion-asset Portland, Maine, unit of Toronto-Dominion Bank); and the $2.7 billion-asset Pennsylvania State Employees Credit Union in Harrisburg, all lost their cases.
In those cases, the judges concluded, among other things, that the institutions could not recover losses because they were not party to the contracts BJ's had with Visa and MasterCard. Some of the institutions are appealing the initial rulings.
Mr. Forte said the suit against TJX was filed in Massachusetts in large part because it is one of the few states that lets businesses sue for trade practices.
The trade groups and the banks contend that TJX misrepresented that it would comply with Visa and MasterCard standards to safeguard customer data, in order to induce banks to issue debit and credit cards that customers could use at TJX's stores. Since the retailer did not comply with the standards and failed to safeguard data, its actions were both deceptive and unfair and caused harm to both customers and issuing banks, the suit claims.
(In the BJ's incident, the Federal Trade Commission said the retailer engaged in unfair trade practices by failing to safeguard its systems - a violation of federal law. In 2005, BJ's agreed to upgrade its systems and submit to outside audits of its data security every other year for 20 years. One lawsuit against BJ's, filed in 2005 by CUNA Mutual Group in the U.S. District Court for Massachusetts, is still pending. CUNA Mutual also is suing for unfair trade practices, among other things.)
Mr. Preston, the consumer lawyer, said he believes the institutions have a fighting chance against the retailers using the unfair-trade claim.
Massachusetts law does not require actual proof of damages, nor do plaintiffs have to prove the defendants intended to deceive the harmed parties, he said.
"This last one is a huge deal. It could get really disastrous for TJX," Mr. Preston said.
The suit filed by the New England banks and trade groups is one of 21 filed against TJX in response to the breach; consumers filed most of the others.
The Massachusetts Credit Union League has announced that it expects to sign on to the New England bankers' suit.
Mr. Forte said that if the banks and trade groups prevail, more retailers could start taking the Payment Card Industry standards more seriously.
Visa has said that only about 36% of major retailers nationwide adhere to the standards. Retailers were supposed to be compliant by September of last year or face fines by Visa and MasterCard.
"What we're really trying to do here is stop future breaches," Mr. Forte said. "We've reached an apex, and if not now, then when?"
