New England Banks File Class Action Suit Against Retailer TJX

The line forms on the left, as state banking associations representing banks from three New England states have filed a class action lawsuit against TJX Companies Inc., in response to the company’s credit and debit card breach in which more than 45 million cards may have been compromised. More banks are expected to join the lawsuit.

The class action lawsuit, filed on April 23 in the U.S. District Court in Boston, MA against the Framingham, MA –based retailer seeks to recover damages in the “tens of millions of dollars.” Three state banking associations, the Massachusetts Bankers Association (MBA), the Connecticut Bankers Association (CBA) and the Maine Association of Community Banks (MACB) filed the suit and are co-plaintiffs. Collectively, they represent nearly 300 banks.

So far “named” plaintiffs in the class action suit include Saugusbank, Saugus, MA; Eagle Bank, Everett, MA; and Collinsville Savings Society, Collinsville, CT. More bankers associations and many more individual banks are expected to join the list from across the country as the case progresses. As a result of the TJX data breach, first disclosed in mid January, financial institutions have spent tremendous amounts of money in the effort to protect cardholders. The MBA said it is filing this lawsuit to protect customer privacy and data security for customer accounts.

“The MBA made a decision to file a class action suit because we believe we are in the best position to achieve success for our members and customers,” said Daniel J. Forte, president and CEO of the MBA. “With the possible exception of the banks from California that could also decide to join us, our New England institutions have had the most exposure to this massive data breach. We believe TJX has more stores in our region than anywhere else other than California and, of course, it is headquartered here in Massachusetts. Moreover, we have extensive knowledge and experience with Massachusetts state law, which will likely be an important factor in this litigation.” Recently, TJX reported that cards and other personal information may have been exposed going all the way back to 2003. Cases of fraud due to the TJX breach have been reported from all over the world.

At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of “hot” cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed it had a problem. Forte said the MBA and the other plaintiffs are not ready to discuss the full extent of the bank losses because the damage is still being done. “Suffice to say,” he said, “we will be seeking to recover damages in the tens of millions of dollars.” Financial institutions across the nation had to re-issue debit cards as a result of the TJX data breach. Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card. This alone would run into many millions of dollars for banks throughout the country. When fraud occurs, banks generally cover the entire fraud, replacing money in customer accounts to protect their customers.

"Protecting consumers is our number one priority" said Lindsey Pinkham, senior vice president of the Connecticut Bankers Association. "However, retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs."

The MBA’s Forte also said he has great confidence this lawsuit will achieve success even though lawsuits brought by other banks as a result of a similar breach by BJ’s Wholesale Club several years ago have achieved mixed results. “There are significant differences between this case and prior data breach lawsuits such as the BJ’s cases in Pennsylvania,” he said. “We think we have an advantage trying the case here in Massachusetts; when the BJ’s cases were argued in Pennsylvania, the plaintiffs did not include an unfair trade practices statutory claim, and Massachusetts law allows these claims.

Forte pointed to the fact that “an unfair trade practice claim was asserted by the FTC which imposed substantial conditions and requirements on their operations. In addition, we will seek to prove that TJX is responsible for negligent misrepresentation. Among other things, the company represented that it was safeguarding and disposing of cardholder data. These representations were not true and showed a lack of reasonable care and were both unfair trade practices and negligent misrepresentation under Massachusetts law. In one of the ongoing BJ’s cases, unlike in Pennsylvania, a motion to dismiss brought by BJ’s was denied in Massachusetts and the case is still proceeding here.

“We believe the litigation ultimately will serve to better protect consumers,” he added. “If we’re successful against TJX, the nation’s major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network