DANIEL J. FORTE
‘Cavalier cycle’ of problems
A line in the sand. That’s what the Massachusetts and Connecticut bankers associations and the Maine Association of Community Banks want to draw, saying the latest data security breach by a major retailer is one too many and their member banks should not absorb the resulting cost.
A lawsuit the three associations and member banks Eagle Bank of Everett, Saugusbank of Saugus and Collinsville Savings Society in Hartford County, Conn., filed April 25 in U.S. District Court in Boston claims breach of contract, negligence and misrepresentation by Framingham-based TJX Cos. following a December incident in which computer hackers gained access to consumer financial data the company had stored.
TJX, the parent company of discount retailers T.J. Maxx, Marshalls, HomeGoods, A.J. Wright and Bob’s Stores, failed to protect the financial data of 45 million U.S. credit and debit card holders who shopped at its retail chains, the lawsuit claims, and card-issuing banks are forking out millions of dollars to clean up the mess.
The lawsuit, prepared by Connecticut firm Tyler, Cooper & Alcorn, is the 10th filed in federal court as a result of the data breach, said Massachusetts Bankers Association President and Chief Executive Officer Daniel J. Forte.
He said the data breach at issue is the largest in U.S. history.
“From a legal perspective, we have to ask, ‘if not now, then when?'” he said of the association’s decision to pursue the case in court.
The lawsuit’s goal is “to end this cavalier cycle of data breachers in the retail industry,” he added.
MBA has invited other Massachusetts banks to join the lawsuit, which seeks class-action status since so many banks and common questions of law are involved.
The association, which represents about 200 Bay State banks, reportedly also has invited other U.S. banking trade associations to sign on.
The lawsuit claims that TJX was negligent, misrepresented that it was protecting customer data and breached its contract terms within the network of credit and debit card-merchant agreements – specifically, with Fifth Third Bank, which processes its Visa and MasterCard transactions.
The company’s actions and inactions cost association bank members that issued credit and debit cards at least $5 million to reissue them at a cost of up to $25 per card, and reimburse fraudulent charges, the lawsuit claims.
It seeks reimbursement for those damages; a court order requiring TJX not to store customer financial data beyond the point when a customer’s card is authorized, as stated in its contract with Fifth Third Bank; and a finding that TJX violated Massachusetts’ deceptive acts and unfair trade practice law.
MBA’s case is “unique” as Massachusetts’ law allows claims based on that law, Forte said. A similar lawsuit Philadelphia-based Sovereign Bank filed against BJ’s Wholesale Club, following a similar breach in 2004, did not include it.
Sovereign’s claims against BJ’s were dismissed in Pennsylvania, but one claim related to that incident is still pending in the Bay State, Forte said.
The Federal Trade Commission found in 2005 that BJ’s failure to protect its customers’ financial information was an unfair trade practice, and required the company to implement a “comprehensive,” regularly audited information security program as a result.
Forte said he hopes the cost of damages will be an incentive to major retailers to spend money on secure computer systems instead of fines.
However, not everyone agrees that a court case is the way to achieve that goal.
“I don’t know if a lawsuit is really going to make things change,” said John McGeorge, president of MBA member Needham Bank. “I think I’d rather see our money used to have our lobbyist do something [legislatively].”
“MBA doesn’t do things impulsively,” suggested Barry Sloane, Co-CEO and Co-President of Medford’s Century Bank, but declined further comment.
Kevin J. Handly, a banking practice attorney with the Boston office of Gallagher, Callahan & Gartrell, suggested a lawsuit might be part of MBA’s strategy to get TJX to take them more seriously, or to back up state and U.S. bills the trade association is supporting that seek similar recourse.
“I think it would be helpful [to push] the legislative action,” he said. “But viewed in isolation, it would be very long, very expensive and, frankly, would have uncertain prospects of success.”
MBA spokesman Bruce Spitzer said the lawsuit is indeed part of a multifaceted approach.
“We want to leave no stone unturned,” he said.
‘Ugly’ Battle
One industry observer predicted TJX would say the lawsuit’s claims are exaggerated.
The fight will be “ugly,” he predicted, “but I think [MBA] has a budget to do it for a couple of years.”
But Handly said the case is likely to be an uphill battle for bankers on several fronts.
For example, the bankers’ associations were not, themselves, damaged by the data breach, he said, and thus make unlikely plaintiffs.
The breach of contract claim is faulty as well, he opined, since the contract alleged to have been breached is between TJX and its card-processing bank, not between TJX and the plaintiff banks.
The lawsuit claims its plaintiff banks were that contract’s intended third-party beneficiaries and suffered losses as a result.
To date, TJX has not publicly responded to the suit. TJX spokeswoman Sherry Lang did not return a phone call from Banker & Tradesman but told The Associated Press the company would not comment on pending litigation.
Retailers’ Association of Massachusetts President Jon B. Hurst said MBA, in his view, is “asking for World War III” – and pursuing the wrong party in court.
“[Card-issuing] banks don’t have a contract with the retailer,” he pointed out.
Banks can recover at least a portion of the cost of reissuing a credit or debit card that’s compromised through credit card companies’ recovery processes and through fines retailers pay if they’re not compliant with data security standards.
But McGeorge, of Needham Bank, said “no one has sent me a check” for the cost of reissuing credit or debit cards his bank’s customers. And Claire Bean, executive vice president and chief financial officer at Benjamin Franklin Bancorp in Franklin, said her bank also incurred “significant” costs for reissuing cards following the TJX data breach without reimbursement from any source.
Spitzer said such costs are not recovered through contracts, and said Visa and MasterCard have admitted their claims process is cumbersome.
“You are lucky if you can get a few cents on the dollar for this. Many banks don’t make the effort,” he said.
The New England Debit Card Task Force, a working group MBA initiated after the BJ’s data breach, has worked hard to ease that process, Spitzer said.
He said retailers’ arguments that banks already recover costs from retailers are simply a smokescreen, “since they don’t have a good answer on why they haven’t protected data from consumers.”
But Hurst suggested the issue everyone seems to be forgetting is that the stealing of data “was a criminal act by thieves.”
“It seems the industry should be working together to fight this crime,” he added.
