Banks File Massive Class-Action Suit Against TJX

The massive data breach disclosed earlier this year by Framingham, Mass.-based TJX Companies appears to have done little to hurt consumer confidence in the company so far. But it is getting the giant retailer into all sorts of legal trouble.

The latest example is a class-action lawsuit filed Tuesday by the Massachusetts Bankers Association (MBA) seeking tens of millions of dollars in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.

In a statement issued Tuesday, the Boston-based MBA said that banks in the state along with those in California were among the financial institutions most affected by the data breach, which resulted in the compromise of more than 45 million cards.

As a result of the data breach, "there have been dramatic costs to financial institutions in the effort to protect cardholders," the MBA said in its statement. "The MBA is filing this lawsuit to protect customer privacy and data security for customer accounts."

According to the association, a final estimate of the costs to banks from the breach is still not available because banks throughout New England are still continuing to receive lists of cards that were compromised in the breach, more than three months after TJX disclosed the issue.

"Suffice to say, we will be seeking to recover damages in the tens of millions of dollars," MBA president Daniel Forte was quoted as saying in the statement. According to preliminary estimates, the costs to institutions for replacing cards could be as much as US$25 per card, the association noted in its statement. The MBA represents more than 200 banks in Massachusetts.

TJX is the owner of a number of retail brands, including T.J. Maxx, Marshalls and Bob’s Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the United States, Canada, Puerto Rico, and potentially the United Kingdom and Ireland. Last month it revealed that the total number of cards compromised in the break-in was 45 million, making it the biggest compromise of personal data ever reported.

The breach has already spurred other lawsuits against the company. For example, the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, has filed a lawsuit over what it claims is TJX’s refusal to provide documents outlining the company’s IT security measures and its response to the data breach.

In another legal action, Canadian law firm Merchant Law Group has filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach. The lawsuit was filed in courts in six Canadian provinces. It seeks financial recovery for all victims affected by the breach.

And soon after the breach, a Virginia-based woman filed a class-action lawsuit against TJX over what she said was the company’s refusal to offer credit-monitoring services for affected customers.

-Jaikumar Vijayan, Computerworld

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)