January 30, 2007 | written by Bruce Cundiff
TJX Breach reaches new highs (lows?)
A class action lawsuit has been filed on behalf of everyone who had their card (and to a lesser extent, personal) information stolen in the TJX breach. The company’s getting it from both sides, as the talk to date has been the potential for banks to seek reparations for the breach.
My main problem with this is how the losses will be valued. It’s an open question for which I don’t yet have an answer (and welcome comments!!).
On the bank side: what if Bank X decides that the only way to deal with this is to cancel and reissue all cards. Bank Y, on the other hand, decides that customer notification is the only action necessary. Different actions and eminently different associated costs. So can Bank Y only receive remuneration for the action it undertook? That can get really complicated really quickly.
On the consumer side: similar complications, similar disparity, and similar potential for confusion. It could be a debit card vs. credit card issue in terms of recovery of lost funds due to fraudulent transactions (which is also partially dependent on the reaction of the individual issuer). If my card information was stolen but I was not subject to any losses (or any fraudulent transactions, for that matter), am I still entitled to damages?
Obviously, I’m not a lawyer…otherwise I’d have all the answers to those questions. But it begs the question as to whether lawsuits are the best method of dealing with data breaches, or if they are just opportunistic. Again, I don’t really know, but will be watching this closely.
Javelin’s research still indicates that a small percentage of identity fraud (6%) is due to data breaches. An even smaller percentage (0.8%) of data breach victims become identity fraud victims.
It seems as though we’ve reached a tipping point with TJX, though. A lot of that might be the perception of a somewhat cavalier attitude (“they waited a whole month to let the public know,” “they were suffering this breach from MAY to DECEMBER??”) from TJX—a perception which they are working to change, by the way, although to what success remains to be seen. It looks like we’ll be seeing a mix of lawsuits, further legislation, hopefully along with sound policies among those companies vulnerable to data breaches moving forward…
I’m not buying that they were trying to help by waiting a month. That is a total lie. It will be a long time before I give them any of my business. They should have come public with this as soon as they knew there was a problem and they know it. This company has major internal problems in the IT area. I cannot say how I know but I have heard from a fairly reliable source. So I can’t say that I’m not disgusted by the response and the patheticness to try and win consumers back. I’d have more sympathy if they admitted they screwed up.
I am not defending TJX here, but delaying notification is nothing new. And in their case, it was only a few weeks. There have been a number of data breaches where the delay was much longer.
Also, to my knowledge, it is not a crime to have your network hacked. All the class action law firms can do is plead “negligence” I suppose. Does someone know what federal or state laws TJX (not a financial institution) possibly violated? Is this a common law issue or UCC? Please comment if you truly know.
Thanks for your comment and question, Tom. We are not attorneys, so we don’t have in depth insight into the laws that TJX may have violated. The secondary information we have seen from news reports on the lawsuits indicates that consumers are seeking damages for “hav[ing] their privacy rights violated, hav[ing] been exposed to the risk of fraud and identity theft, and hav[ing] otherwise suffered damages.” No mention of any ‘law’ that was broken.
On the FI side of things, it seems to be the same story. FIs are seeking damages for either losses incurred due to fraud that can be directly attributed to TJX’s action/inaction, or to the repair work that they have to do (canceling and reissuing cards, etc.). It seems as though this is all related to ‘negligence’ on the part of TJX, but it remains to be seen what laws were broken. The Massachusetts Bankers Association has been leading this charge (maybe due to TJX being headquartered in MA), and I have heard that similar organizations in New Hampshire and elsewhere are mulling their options as well.
We’ll be following this closely—it seems like this particular data breach may be a tipping point in the use of litigation as a reaction.
http://www.boston.com/news/local/massachusetts/articles/2007/02/07/massachusetts_leads_multi_state_probe_into_tjx_data_breach/
This article from the Boston Globe says the attorney general of Massachusetts is leading a multi-state probe. Also, as you noticed, Tom, there is a class action suit filed claiming “negligence” on the part of TJX. As we discussed in our August report, “Data Breaches and Identity Fraud: Misunderstanding Could Fail Consumers and Burden Businesses” there are many different states (31 and counting) with different data breach laws on the books and different disclosure requirements. For example: according to CA law SB1386, the data breach notification of any California card holder, whether or not the breach occurred in another state, must be made in “the most expedient time possible and without unreasonable delay.” Notice may be delayed only “if a law enforcement agency determines that the notification will impede a criminal investigation.â€? Apparently, this law enforcement clause is the one TJX is trying to claim.
One of the problems is that one business, in this case, TJX, may be the source of the data breach, allegedly by capturing and storing data that was not supposed to be kept under network rules; but it is other businesses which pay the price for the breach, for example, the issuing FIs which have to close the accounts, absorb losses, and re-issue cards. The Issuers then try to make the case to pass their costs on to the network credit card associations, which in turn try to levy fines against the original retailer, similar to the childhood game of musical chairs. The question remains: who will be last left in the hot seat? This example underscores the need for Federal laws to unify data breach disclosure requirements and better protect consumers.
Thanks Mary for the link.
And you helped confirm my thoughts. Other than the nebulous concept of “negligence” which might be stretch, the main area of concern for enterprises is running afoul of the 31+ different data / security breach laws. Any multi-state retailer probably should comply to an aggregate of the most aggressive parts of all 31 statutes (no easy task itself).
One major issue with nationwide data breach legislation is, of course, what it ends up morphing into. There were number of high profile attempts in 2006, which I tried to keep up with on my blog. It was exhausting. And these attempts resulted in language that many think watered down the best protections in various states. Enterprises have a case (31 laws = too confusing/expensive) and consumer advocates do too (don’t weaken the strong state laws).