Ruling Helps TJX Reduce Liability in Data Breach Case

Updated: A decision could reduce TJX's costs to settle lawsuits resulting from a massive consumer data breach.

In a pair of crucial decisions, TJX has moved closer to completely clearing itself of the lawsuits from the worlds worst credit card data breach.

Those two rulings came from the federal judge overseeing the case—who refused to approve making the case a class action—and from Visa, which said it would reduce its fining of The TJX Companies in exchange for certain payments from the retailer to banks.

On the afternoon of Nov. 29, U.S. District Court Judge William Young denied the request to grant the bank class action certification, ruling that the many of the banks situations were too different from each other. Some of the banks had the expense of reissuing the cards while others didnt, for example.

That decision is quite likely to stand, but there are two chances for it to change. The U.S. Court of Appeals could overrule Young, and attorneys for the banks have 10 days from Nov. 29 to file an appeal.

The judge himself added a footnote to his decision that his decision "will need to be reassessed" after he makes a decision on arguments hell hear on Dec. 11. Those arguments involve a Massachusetts Fair Trade statute, Chapter 93A.


Click here to read about why the Massachusetts attorney general doesnt like a proposed consumer settlement in the TJX data breach case.

Judge Youngs decision not to support a class action certification was based on a wide range of factors. One key issue was whether these banks reissued their customers cards because of the data breach or because of generic fraud risks.

Another key issue was whether TJX misled the banks about whether it was adequately protecting its data. The judge focused on whether banks believed what TJX said and whether they made important decisions based on those statements.

"The record before this Court raises significant questions about whether there was in fact class-wide reliance on TJX and Fifth Thirds alleged misrepresentations. For instance, some banks appear to have considered only one factor—the need to keep up with the competition—when making their decisions about card issuance," Young wrote.

"Another bank suggested that, at least in some situations, a merchants failure to comply with data security standards would not cause the bank to alter its behavior. Yet another issuing bank indicated that its beliefs about TJXs security, whatever they may have been, did not influence what security steps it adopted. Furthermore, there is evidence that Visa informed at least some issuing banks that many merchants fail to comply with data security standards."

The judge also expressed concern that some of the plaintiffs and one of the defendants are issuing banks, meaning that they handle credit card accounts for major retailers.

"While banks that serve only as issuers—such as the named plaintiffs in this case—would clearly benefit from a victory, mixed banks may actually be negatively affected," Young said. "Indeed, a decision that acquiring banks can be held liable in circumstances such as these very well could come back to haunt such mixed banks in the future. The mixed banks interest in shielding themselves from liability for millions of dollars if they are ever in Fifth Thirds position is contrary to the named plaintiffs objectives."

Assuming the judges decision stands, it could all but kill the banks actions against TJX, because each bank will have to independently pursue litigation. Thats going to be much more expensive than merely being a part of a large class-action effort, and those banks have already spent money on the initial case.

Further complicating the question of whether any of the plaintiff banks will pursue independent lawsuits is a statement issued jointly by TJX and Visa on Nov. 30.

That Visa-TJX statement said Visa would forgive "a portion" of the $880,000 that it had imposed on TJXs credit card processor. In exchange, TJX will pay an unspecified amount, not to exceed $40.9 million, to an unspecified number of plaintiff banks.

The deal wont happen unless "financial institutions representing 80 percent of the eligible U.S. Visa accounts affected by the data compromise," sign off on it, the TJX/Visa statement said.

To get any of the money, each bank would have to agree to not sue. Thats why the Visa statement is so closely connected to the judges class-action decision.

Industry observers noted the timing of the movement. To resolve this case in the middle of the holiday shopping season would be helpful to retailers. Many of the banks would rather have this distracting case off of their plates as well, and Visa is in the middle of a $10 billion IPO (initial public offering) and presumably would also rather not have this case hanging over its head.

"Its in everyone involveds best interest for this to go away. No one wants consumers to return to using cash or checks, so I think everyone would just like it to go away," said Paula Rosenblum, a retail analyst with Retail Systems Research. "After all, outstanding litigation is not good for IPOs, either."

Rosenblums associate at Retail Systems Research, Brian Kilcourse, agreed, but added that its still a mixed bag for the financial players.

"As to whether this is good for the issuing banks or not, Im not sure its such a good deal. Consider: As many as 96 million card numbers were exposed to compromise—and something more than 40 million were actually compromised. Security experts estimate that the total per card cost to issuing banks is something in the $25-35 dollar range. So $40 million doesnt begin to cover the true exposure."

Editors Note: This story was updated with more information on the judges decision.

Retail Center Editor Evan Schuman can be reached at


Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.