Court Zeros In on

By Evan Schuman  |  Posted 2007-10-17 Print this article Print

What TJX Didnt Say"> TJX knew how "antiquated and deficient" its security efforts were and yet never told MasterCard or Visa, resulting in negligent misrepresentations. Thats how U.S. District Judge William Young summed up what the banks must prove to win at trial in his courtroom.

In an hour-long federal court hearing Oct. 16 in Boston, Young peppered attorneys from TJX, TJX processor Fifth Third Bank and banks suing TJX, providing a good sense of where a TJX bank trial might go.
TJX has reached a settlement with a class-action consumer lawsuit, and Young is preparing to approve that settlement. That case went relatively easy on TJX because there were minimal—and often no—monetary damages suffered by consumers, thanks to zero-liability credit card programs.
But the banks are the ones that had to reissue credit cards and handle fraud losses, so TJX is in for a more fierce fight in that arena. The court hearing involved whether Young would certify many of the banks to sue together as a class—making this another class-action lawsuit—or have them proceed individually. Unlike the consumer case, the banks involved could indeed sue on their own, so the question of class certification isnt likely to kill the case, regardless of how the judge ultimately rules. Evan Schuman claims TJX is a genius at playing dumb. Read why. The core accusation against TJX is that it was not truthful with the banks—and with Visa and MasterCard specifically—as to the state of its data security operations for its credit cards. In what is widely considered the worst-ever data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006. TJX filings have raised questions about its encryption practices, its wireless security choices, and whether intruders successfully planted Trojan horses into the system and whether they had the companys encryption key. In summarizing the plaintiffs claim, Young said the fraud accusations seem to come down to what TJX did not say, rather than what it did. "Youre going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didnt speak and knew what its problems were and didnt say to MasterCard and Visa that they werent encrypting and the like," Young said. "Thats why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests. "It would seem that the nature of the negligent representations by omission, if thats really the plaintiffs theory here, is a failure to be forthcoming to MasterCard and Visa about the antiquated and deficient operation within TJX." TJX attorney Richard Batchelder argued that the complicated nature of the relationships between banks and the credit card companies and the processors and TJX—coupled with the long duration of these data breaches—makes a class certification inappropriate. "You described it as an implied security assurance. That means when some customer goes into a store and their card is swiped, that theres some implied security assurance that in some way, through this complex web, [the assurance] gets back to these member banks and they somehow relied upon that," Batchelder said. "When you look at that as their basis for the negligent misrepresentation case, you can see how class certification isnt appropriate. Think about it. Theyre talking about transactions in 2003, 04, 05, 06, 07. Theyre talking about operating regulations that werent even in existence in 03 and 04 that then came into effect in 05 and then changed in 06. Theyre talking about a security system that in 03, 04, 05, 06, 07 is developing and evolving, as every merchants security systems was. So what exactly is the representation being made every single time? How are we possibly going to try that on a class basis? It would be impossible." Page 2: Court Zeros In on What TJX Didnt Say

Evan Schuman is the editor of's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel