Court Zeros In on
What TJX Didnt Say”>
TJX knew how “antiquated and deficient” its security efforts were and yet never told MasterCard or Visa, resulting in negligent misrepresentations. Thats how U.S. District Judge William Young summed up what the banks must prove to win at trial in his courtroom.
In an hour-long federal court hearing Oct. 16 in Boston, Young peppered attorneys from TJX, TJX processor Fifth Third Bank and banks suing TJX, providing a good sense of where a TJX bank trial might go.
TJX has reached a settlement with a class-action consumer lawsuit, and Young is preparing to approve that settlement. That case went relatively easy on TJX because there were minimal—and often no—monetary damages suffered by consumers, thanks to zero-liability credit card programs.
But the banks are the ones that had to reissue credit cards and handle fraud losses, so TJX is in for a more fierce fight in that arena.
The court hearing involved whether Young would certify many of the banks to sue together as a class—making this another class-action lawsuit—or have them proceed individually. Unlike the consumer case, the banks involved could indeed sue on their own, so the question of class certification isnt likely to kill the case, regardless of how the judge ultimately rules.
Evan Schuman claims TJX is a genius at playing dumb. Read why.
The core accusation against TJX is that it was not truthful with the banks—and with Visa and MasterCard specifically—as to the state of its data security operations for its credit cards.
In what is widely considered the worst-ever data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006. TJX filings have raised questions about its encryption practices, its wireless security choices, and whether intruders successfully planted Trojan horses into the system and whether they had the companys encryption key.
In summarizing the plaintiffs claim, Young said the fraud accusations seem to come down to what TJX did not say, rather than what it did.
“Youre going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didnt speak and knew what its problems were and didnt say to MasterCard and Visa that they werent encrypting and the like,” Young said. “Thats why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests.
“It would seem that the nature of the negligent representations by omission, if thats really the plaintiffs theory here, is a failure to be forthcoming to MasterCard and Visa about the antiquated and deficient operation within TJX.”
TJX attorney Richard Batchelder argued that the complicated nature of the relationships between banks and the credit card companies and the processors and TJX—coupled with the long duration of these data breaches—makes a class certification inappropriate.
“You described it as an implied security assurance. That means when some customer goes into a store and their card is swiped, that theres some implied security assurance that in some way, through this complex web, [the assurance] gets back to these member banks and they somehow relied upon that,” Batchelder said. “When you look at that as their basis for the negligent misrepresentation case, you can see how class certification isnt appropriate. Think about it. Theyre talking about transactions in 2003, 04, 05, 06, 07. Theyre talking about operating regulations that werent even in existence in 03 and 04 that then came into effect in 05 and then changed in 06. Theyre talking about a security system that in 03, 04, 05, 06, 07 is developing and evolving, as every merchants security systems was. So what exactly is the representation being made every single time? How are we possibly going to try that on a class basis? It would be impossible.”
Further Complicating Matters
Batchelder also asked whether the many changes and vagaries surrounding the PCI (Payment Card Industry) Data Security Standard didnt further complicate matters.
“As you can imagine, TJX has been accepting credit cards and debit cards for a long time, well before this case came about,” he said. “And when they made that decision [to accept credit and debit cards], there were no PCI standards, there were no rules and regulations as to how you store date or not store data and so forth. Those have all come out recently.” The PCI Council will “say youre going to have to move to this standard by such and such a date. And so theres this entire period of time when theres a standard out there, but you dont have to comply with it until Visa or MasterCard says you have to comply with it.”
Another issue that cropped up a few times in the arguments is whether most banks automatically reissued credit cards when they learned of the data breach. Attorneys representing some of the banks that are suing TJX said they did and that most banks would have reissued. Batchelder disagreed.
“They talk about 80 percent of banks have [reissued cards]. They have the same survey, which they cite twice, that has 90 banks responding to it. Thats it. And those 90 banks, theyre not at all representative of the banks out there in the country. The largest issuers, its well-known they do not automatically reissue. It wouldnt make any economic sense for them to automatically reissue,” Batchelder said. “What they do is monitor and select reissuance if they see fraud because theyve got sophisticated fraud monitoring. These plaintiffs didnt have that, so they just went out and reissued.”
Click here to read more about the TJX settlement.
One of the attorneys for TJX card processor Fifth Third Bank, Breck Weigel, argued that the fraud accusation comes down to a legal issue of reliance. Reliance is where a company, such as the banks suing TJX, made business decisions that relied on the truthfulness and completeness of TJX statements. In this case, he said, its unlikely anyone would have believed those representations given what industry officials were saying at the time. He specifically cited an instance involving retailers storing Track 2 data, which is magnetic stripe information that is not supposed to be retained by any retailer.
“There is substantial evidence in this record that there was no reliance. We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI-compliant,” Weigel said. “So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesnt exist.”
He also argued that a key issue of the case will be next to impossible to prove: establishing that frauds requiring the card reissuances—and the associated costs—were directly and specifically related to TJXs breach.
Given that almost 1 percent of all credit card transactions involve some sort of fraud, Weigel said, there would have been a healthy number of fraudulent issues during that time period anyway. “The point is there have been a number of high-profile credit card compromises. TJX is not the first, and its not going to be the last. We have Ralph Lauren Polo, we have DSW, we have BJs here,” he said.
One important theme that has underscored much of the TJX data breach saga has been secrecy, starting with TJX having learned of the breach in mid-December 2006 but not reporting it publicly until mid-January 2007. With so much of the law on its side in the consumer lawsuit, the most pressing matter for TJX was the fear of having to reveal embarrassing internal security details in open court.
Young waited until the end of the hearing to address confidentiality, and he lectured TJXs attorneys on abusing discretion and operating in secret when dealing with what the judge called “so-called confidential data.”
Young said there are some confidential elements to this case, including specific details that could allow cyber-thieves to break into the systems of TJX and other retailers.
“This court has and will respect that,” he said. “But because the court has acknowledged that from the get-go, and will continue to respect that, you people have chosen to try to gain the litigation advantage for your respective clients in this case behind closed doors. You are taking a sweeping view of what is confidential and what the public cannot see. And you are sadly mistaken. I have carefully gone over the record before me with respect to this motion. There is only one fact, one, that falls within that ambit, and thats the location of servers, and that could have been worked around by use of equivalent phraseology or data. I have people redacting the names of experts here.”
The judge then ordered all attorneys to halt sending documents directly to his chambers labeled confidential.
“You will not in the future file any document other than electronically, pursuant to the rules of this court,” he said. “And the documents you file will be public. Entirely public. You will not file a document under seal and some [cleaned up] document that the public cant look at. You will file a public document. If you think anything needs to be filed under seal, you will file a public document, supported by public affidavits, detailing why the specifics, and I am extraordinary skeptical of your view of whats confidential. Ive told you whats confidential: Things that bear on the actual operation of the computers, the actual security standards for the computers, and the like.”
Young also said he wants attorneys to reveal much more to the public. “Given the nature of this case, I dont see why any of this case, any of it, should be conducted out of the publics spotlight, and it will not be, unless there is a specific reason, persuasive to me, made in public documents,” he said.
Retail Center Editor Evan Schuman can be reached at [email protected].
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.