In another in a lengthy line of lawsuits against The TJX Companies involving the massive data breach that the company announced in January, the Massachusetts Bankers Association said on April 24 that it will sue the retail chain, accusing it of “negligent misrepresentation.” The MBA claims that TJXs assertion that it had been “safeguarding and disposing of cardholder data” was false at the time it was made.
MBA CEO Daniel Forte said his association hopes to make this a much broader issue than one retailer and one very large data breach.
“If were successful against TJX, the nations major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required,” Forte said in a statement.
The Massachusetts banking group is being joined in the lawsuit by the Connecticut Bankers Association and the Maine Association of Community Banks. Those associations, according to the MBA, represent nearly 300 banks. A handful of individual banks have also joined as co-plaintiffs. The MBA also said that an unspecified number of California banks may also join.
Its typical for plaintiffs in a class-action lawsuit to be reluctant to discuss how much money theyre seeking because it will be greatly influenced by what is learned during the legal discovery process. But Forte did set a floor of what his association is seeking: “Suffice to say,” Forte said, “we will be seeking to recover damages in the tens of millions of dollars.”
This lawsuit is different than most of the consumer class-action lawsuits against TJX because the damages incurred by the member banks is more concrete, if not as dramatic. For consumers, credit card zero-liability agreements are generally minimizing or eliminating financial losses, leaving the more nebulous time and aggravation costs of dealing with possible identify theft.
With the banks, though, the financial losses are able to be better documented. “Banks all across the nation re-issued debit cards as a result of the TJX data breach. Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card,” MBA officials said in a statement. “This alone would run into many millions of dollars for banks throughout the country. Moreover, when fraud occurs, banks generally cover the entire fraud, replacing money in customer accounts to protect their customers.”
Lindsey Pinkham, senior vice president of the Connecticut Bankers Association, pointed out that this retail data breach is going in a very unacceptable direction. “Retail data breaches are getting larger and more frequent, and we cannot continue to absorb the costs,” Pinkham said.
Forte also argued that Massachusetts laws will be friendlier to a data breach claim than some other jurisdictions where these lawsuits have been filed.
“There are significant differences between this case and prior data breach lawsuits such as the BJ Wholesale Club cases in Pennsylvania,” he said in the statement. “We think we have an advantage trying the case here in Massachusetts. When the BJs cases were argued in Pennsylvania, the plaintiffs did not include an unfair trade practices statutory claim, and Massachusetts law allows these claims.
“In fact, an unfair trade practice claim was asserted by the FTC, which imposed substantial conditions and requirements on their operations. In addition, we will seek to prove that TJX is responsible for negligent misrepresentation. Among other things, the company represented that it was safeguarding and disposing of cardholder data. These representations were not true and showed a lack of reasonable care and were both unfair trade practices and negligent misrepresentation under Massachusetts law. In one of the ongoing BJs cases, unlike in Pennsylvania, a motion to dismiss brought by BJs was denied in Massachusetts and the case is still proceeding here.”
