TJX Data Security Breach Saga Continues: Financial Institution Class Action against TJX Survives on Based on Unfair Competition Claim Predicated on Statements in FTC Complaint against T.J. Maxx / Marshalls' Parent Company
TJX's legal saga concerning its massive security breach in 2003 and 2006 lives on. TJX is a large retailer, with over 2000 T.J. Maxx, Marshalls, HomeGoods, Bob's Stores and A.J. Wright stores in the U.S. and Puerto Rico, During 2003 and 2006, hackers broke into the TJX computer network that handled its credit and debit card, check and return merchandise transactions. The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.
According to TJX's most recent 10-Q (May 2, 2009), TJX initially established a reserve of $178.1 million to reflect its losses from the data intrusion. TJX later reduced this reserve by $39.4 million. This means that TJX's expects its net losses from the data intrusion to total almost $139 million. While TJX will survive, this is truly a massive loss and represents one of the largest computer-related losses experienced by a company.
An expanding of body of federal and state law has imposed two types of data security regulations on companies handling consumer financial transactions: (i) a duty to employ reasonable security measures, and (ii) a duty to notify consumers when a breach of security has occurred.
After TJX announced its data security breach, it was hit with a lengthy list of legal actions. These included: (i) a regulatory complaint by the FTC; (ii) claims by the credit card companies to recover tens of millions in fraud losses; (iii) regulatory actions by over 40 state attorneys general; (iv) several consumer class actions; and (v) a class action on behalf of thousands of banks that had lost money as a result of the breach. All but one of these major legal actions appear to have been resolved.
The FTC Complaint was resolved in July 29, 2008 with the entry of a consent order requiring TJX to install and maintain a "comprehensive information security program to protect the security, confidentiality, and integrity of personal information collected from customers." TJX is also required to provide initial and biennial audits affirming the quality of this system for the next 20 years. (Fn1) The State Attorney General actions were settled on June 22, 2009 with another consent decree requiring TJX to maintain a "comprehensive information security program." TJX also agreed to comply with state breach notification laws and to pay the states $9.75 million.
The credit card company claims were settled for an amount estimated to be at least $24 million, but possibly much more. The consumer class action was settled in early 2008 in consumer class action dollars: including (i) the choice of a $60 gift certificate or $30 in cash, (ii) three years of credit monitoring from Equifax, (iii) the replacement cost of a drivers license and(iv) the amount of any actual, unreimbursed damages. Plus, TJX agreed that all its stores would hold a one-time Special Event (a sale) in which prices at its stores would be reduced by 15%. The plaintiffs' attorneys received $6.5 million in attorneys fees, as well. (Fn2)
The major piece of litigation that remains is the financial institution class action. (Fn3) The suit is brought on behalf of "thousands of financial institutions" who apparently suffered losses too small to bring individual actions. So if the court refused to certify the plaintiffs as a class action, their claims would likely go away.
Not every collection of similar cases is entitled to class action status. To be certified as a class action, a proposed class must show that there a common questions of law and fact that affect all members of the class (the "commonality" requirement) and that these questions predominate over individualized issues (the "predominance" requirement).
Here, the plaintiffs asserted four legal theories of relief: (1) negligence, (2) breach of contract, (3) negligent misrepresentation, and (4) unfair or deceptive business practices under "Chapter 93A" of the Massachusetts General Laws -- i.e., the Massachusetts Unfair Competition ("UCL") statute. The plaintiffs claimed that three different actions by TJX constituted unfair business practices for the purposes of their UCL claim: (i) TJX's misrepresentations as to the security of its data systems, (ii) its violations of the FTC Act -- specifically FTC consent orders stating that the failure of merchants to take reasonable steps to safeguard personal information violates the FTC Act, and (iii) its violations of the Gramm-Leach-Bliley Act (15 U.S.C. ยง 6801(a)), federal statute forbidding disclosure of customer data by financial institutions to third parties.
On a Rule 12(b)(6) motion by TJX, Massachusetts District Court Judge William G. Young dismissed the negligence and breach of contract claims. For their contract claims, the plaintiffs relied on the theory that they were the third-party beneficiaries of the Merchant Agreements between the credit card companies (e.g., MasterCard and Visa) thus entitled to damages where TJX breached the data security provisions in the Merchant Agreements. Judge Young found that because the Merchant Agreements specifically disavowed third-party beneficiary liability, this claim failed. Judge Young also the negligence claim under the "economic loss" rule, because the plaintiffs only claimed to have suffered economic losses, not property damage.
However, Judge Young refused to dismiss the misrepresentation claim. He found that the plaintiffs' claims that they had relied TJX's statements to the credit card companies, that appropriate security measures were in place, were sufficient to support this claim. He also refused to entirely dismiss the UCL claim. On the plaintiffs' three theories for their UCL claim, Judge found that "negligent misrepresentation may be so extreme or egregious as to constitute a chapter 93A violation." However, he rejected the notion that a UCL claim can be predicated on a consent order expressing the views of the FTC or on the Gramm-Leach-Bliley Act.
Judge Young then also denied plaintiffs' application for class certification. Judge Young found that the only claim that had survived the Rule 12(b)(6) motion -- misrepresentation -- was not a matter on which common matters of law or fact would predominate, because the primary factual issue would be the degree to which each bank had relied on the supposed misrepresentations. (Fn4)
On appeal, the 1st Circuit upheld Judge Young's rulings on plaintiffs' claims for negligence, contract and negligent misrepresentation -- although it opined that the negligent misrepresentation claim rested on flimsy grounds and was "on life support." The 1st Circuit also upheld his ruling that "the negligent misrepresentation claim, whether standing alone or under Chapter 93A, is not certifiable under the class action rubric." (Fn 5)
However, the 1st Circuit rejected Judge Young's finding that plaintiffs could not also base their UCL claim on the theory that TJX's lack of security measures was unfair under the FTC Act. The 1st Circuit noted that even if Massachusetts courts do not recognize FTC consent decrees as an authoritative legal pronouncements for purposes of the UCL law, Massachusetts courts do treat FTC complaints as an authoritative expression of the FTC's view. Courts often view consent degrees as settlements, which as negotiated agreements may not necessarily reflect the official positions of either party.
Complaints, which are not negotiated, do reflect the filer's legal position. Here, the FTC had filed a complaint against TJX, which specifically stated that TJX's "failure to employ reasonable security measures" was "an unfair act or practice" -- thus stating its legal position on TJX's activities. Accordingly, the 1st Circuit held that the plaintiffs' UCL claims could go forward on the ground that TJX's practices were unfair, as well.
The 1st Circuit's reversal on the unfairness theory for the plaintiffs' UCL claim also led the 1st Circuit to reverse Judge Young's denial of class certification. The 1st Circuit found that it was not clear that a UCL claim based on an unfairness theory would necessarily raise the "predominance" problems caused by a misrepresentation claim: "The unfairness theory appears to look to what the defendants did (or failed to do) rather than on the bank's reliance on supposed misrepresentations." Accordingly, the 1st Circuit remanded the case back to Judge Young for a determination as to whether the UCL/chapter 93 unfairness theory deserved class status.
It is by no means certain that the District Court will certify the class, even after remand. The 1st Circuit noted that certain issues involved in the UCL claims, such as causation of damages, might not present sufficient commonality to qualify for class status.
It is crucial for companies that handle consumer data to look seriously at their data security procedures. According to a report from the CPA Journal, TJX was using a security protocol known as wired equivalence privacy (WEP). TJX was also storing the full-track contents from each customer's credit cards, including the CVC code and PIN numbers. TJX also failed to encrypt customer data. None of these met prevailing standards. It is also crucial for companies to comply with state breach notifications laws as soon as possible. By waiting a month, until the Christmas selling season was over, to notify customers, TJX likely put itself in breach of these laws, thus increasing its legal liability.
The 1st Circuit's ruling also demonstrates the long reach of state UCL laws. Even where federal laws -- like the FTC Act here -- don't provide a private right of action, state UCL laws often permit federal laws to form the basis for a UCL claim. Moreover, as here, the borrowed "law" often doesn't have to be a law at all -- it can often be just some authoritative expression by a legal or a professional body as to what constitutes fair or ethical business practices. In setting data security or other business policies, it pays to become aware of such pronouncements.
Notes:
Fn1 In re. Matter of THE TJX COMPANIES, INC., FTC, Docket No. C-4337, Decision and Order (July 29, 2008).
Fn2 In re TJX Companies Retail Security Breach Litigation, USDC, District of Mass., Case No. 07-10162, Plaintiff's motion for and Memorandum in Support of Final Approval of Class Action Settlement (August 8, 2009).
Fn3 In re TJX Companies Retail Security Breach Litigation (Amerifirst Bank v. TJX Companies, Inc.), U.S.D.C. District of Mass, No. 07-10162-WGY.
Fn4 Judge Young then found because the sole basis for federal jurisdiction was the plaintiffs' class action status, the case should be transferred from federal to state court.
Fn5 In re TJX Companies Retail Security Breach Litigation (Amerfirst Bank v. TJX Companies, Inc.), U.S.C.A. First Circuit, No. 07-2828, 08-1075, 08-1076 (March 20, 2009).
