Home | ARTICLES | TJX Being Sued Over ID Thefts

TJX Being Sued Over ID Thefts

February 2007

South Shore shoppers at risk of identity theft because of a security breach at TJX Companies are signing up for a growing list of lawsuits against the Framingham-based retail chain.

Pembroke resident Robert Mann, a frequent shopper at the company’s TJ Maxx and HomeGoods stores, discovered 110 fraudulent transactions totaling several thousand dollars on his debit card between Jan. 24 and Jan. 27, according to a lawsuit filed on Thursday in U.S. District Court in Boston.

Full Story (The Patriot Ledger)

More...

More...

Our analysis:

It seems like every week there’s a new data security breach—from the Department of Veterans Affairs to UCLA and Boeing. So, why is it that the TJX Co. keeps getting hit with class action lawsuits, while the other guys don’t?

Let’s briefly recap:

On Jan. 17, the company that oversees retail stores including T.J. Maxx and Marshalls announced that a database containing customer debit, credit card and driver’s license numbers had been compromised.
The compromise was over several extended time periods.
The Wall Street Journal announced that as many as 40 million people could be affected, though TJX has declined to report an official number.
In ensuing days, over 60 Massachusetts banks reported that TJX shoppers had been victims of credit card fraud.

The fallout begins:

Responding quickly, a team of attorneys from Philadelphia and Boston filed a series of class-action lawsuits against the company in a Massachusetts federal court. The third and most recent one was filed on Feb. 15, on behalf of five plaintiffs. Separate class action suits were also filed in Alabama, California and Puerto Rico.

For a database breach, this is an unusual amount of legal action. Class-action lawsuits are the “Godzillas” of legal maneuverings. Done successfully, they reap huge awards because they allow hundreds, thousands or even millions of plaintiffs to collect damages from corporations and other entities in one fell and efficient swoop. This is only the second time to our knowledge that a data security breach has resulted in such a legal reponse (the first yet-to-be-decided case was filed against Card Systems California in July, 2005).

Why is this case different?

So what makes TJX such a hot class-action target? Two things: First, unlike the majority of reported security breaches, the TJX intrusion has been demonstratively linked to subsequent fraudulent transactions. The victims include people like Robert Mann, who discovered 110 fraudulent transactions on the debit card that he’d used at T.J. Maxx and HomeGoods stores. While only Mann and four others are named as plaintiffs in the latest class-action filing, any TJX victim could theoretically collect damages including monetary reimbursement for fraud, free credit monitoring or free credit card monitoring if a federal judge decides to hear the case and rules in favor of the plaintiffs.

The second reason litigants are attracted to the TJX breach is that early media reports implied that the company was negligent in safeguarding its data. As the Wall Street Journal reported on Jan. 19, “The rules that cover transactions on cards branded with logos from Visa, Mastercard International Inc., American Express Co. and Discover Financial Services, require merchants to validate a series of security measures, such as the establishment of firewalls to protect databases. Among other things, merchants are prohibited from storing unprotected cardholder information,” (emphasis added). Every one of the TJX class action suits has revolved around negligence complaints, charges that would be difficult to prove in many other data breach situations.

Other companies have been drawn into the vortex:

TJX is not the only company on the line here. According to a Wall Street Journal article published on January 19: “The parent of the T.J. Maxx, Marshalls and HomeGoods discount chains used the card-processing services of Fifth Third Bancorp for its plastic transactions, according to people familiar with the matter. Based on card-industry rules, that means Fifth Third likely will be first in line if Visa USA Inc. and MasterCard Inc. levy fines for the breach.” This means that because Fifth Third Bancorp is responsible for handling the company’s credit and debit card transactions, it could potentially be held dually responsible for making sure that TJX follows card association rules and maintains its databases according to industry standards. Attorneys for the class-action plaintiffs charge that Fifth Third failed to do so, and have named the bank as a co-defendant in two of the three Massachusetts filings.

Expect it take anywhere from six months up to a year for the Massachusetts federal judge to decide whether or not these cases can move forward (a process known as “certification”). In the meantime, the latest press release on TJX’s web site reveals that the transactions exposed in the breach spanned a wider period of time than previously reported, now including dates in 2005 as well. (See link above for TJX’s press release.)

Stay tuned for more…