TJX slapped with class action suit by banks

At this point, you’ve heard about the massive data breach at Massachusetts-based TJX Companies. You know, the Largest Data Breach of All Time in which malicious hackers owned the company’s payment system for around two years, repeatedly breaking in, planting malicious programs and ferrying off sensitive credit card and banking card data on tens of millions of TJX customers?

Yeah, that one.

Well, as it turns out, consumers weren’t the only ones who got hit by TJX’s cluelessness. Banks — especially in states like Massachusetts — were also hard hit. Why? Because under current federal law, its banks, not merchants, who have to pay to make customers whole again: forgiving fraudulent purchases on credit and debit cards and, of course, cancelling compromised cards and bank accounts, then issuing new ones to their customers. Needless to say, that’s an expensive process, especially when you’ve got to repeat it 45 million times, as banks across the country will have to do in the wake of TJX. Not surprise, then, that banks aren’t taking this sitting down.

TJX already faces lawsuits from individual banks in the wake of the compromise. But on Tuesday, the Massachusetts Bankers Association took it up a notch: filing a class action lawsuit against TJX in U.S. District Court in Boston that seeks to recover damages in the “tens of millions of dollars.” The MBA is being joined in the suit by the Connecticut Bankers Association (CBA), the Maine Association of Community Banks (MACB), and individual banks as co-plaintiffs, MBA said.

The three bankers associations represent nearly 300 banks and include a slew of smaller local outfits like Saugusbank, Eagle Bank, Collinsville Savings Society in Collinsville, Connecticut. MBA said it expects many other banks to join as the suit progresses.

MBA claims that its members have faced “dramatic costs” in the wake of the massive hack and that the banking associations are filing the lawsuit to protect customer privacy and data security for customer

accounts (awww…isn’t that nice!). The truth has more to do with the bottom line: New England is a hotbed of TJX stores and local banks are among the hardest hit in the nation by the TJX slip up, second, maybe only to California. And, at $25 a pop to replace stolen cards, banks have been bleeding money to clean up after the breach, with reports of “hot” (or stolen) cards still rolling in, according to an MBA statement attributed to Daniel J. Forte, president and CEO of the MBA.

MBA also thinks it has a chance to win in court against TJX, even though similar suits against hacking victims like BJ’s Wholesale failed. (BJ’s eventually settled with the FTC over the incident.)

“There are significant differences between this case and prior data breach lawsuits such as the BJ’s cases in Pennsylvania,” Forte said. “We think we have an advantage trying the case here in Massachusetts; when the BJ’s cases were argued in Pennsylvania, the plaintiffs did not include an unfair trade practices statutory claim, and Massachusetts law allows these claims,” he said.

Banks want to prove that TJX misrepresented its handling of sensitive financial information (saying it was secure, when it wasn’t). The group also wants to raise the stakes of data breaches for merchants, which they argue are the source of most breaches, but bear few of the costs.

If nothing else, TJX has given fuel to debates about passing stronger electronic privacy laws. So far, most of the initiatives on such laws have been industry-based, such as the Payment Card Industry (PCI) security standards.