Tuesday, November 27, 2007

Credit, Debit Card Issuers May Maintain Claims Against Retailer for Data Security Breach

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

Credit and debit card issuers may pursue negligent misrepresentation and state unfair trade practices claims against retailer TJX Companies, Inc. in connection with its well-publicized data security breach affecting millions of customer accounts, the federal district court in Boston has ruled. The court, however, dismissed the card issuers’ breach of contract and negligence claims against TJX.

In 2005, criminals hacked into TJX’s wireless network and downloaded personal and financial information for more than 45 million TJX customer accounts. The stolen information was then used to make fraudulent purchases. The card issuers sought to recover their costs associated with the fraudulent transactions, including replacement of the compromised cards.

Breach of Contract

The court first addressed the card issuers’ breach of contract claims, which were based on their alleged status as intended third-party beneficiaries of the merchant agreement between the retailer and its processing bank. According to the card issuers, TJX breached the merchant agreement by not safeguarding the customer data as mandated by the Visa and MasterCard Operating Regulations, which were incorporated into the merchant agreement.

However, neither the merchant agreement nor the Operating Regulations conferred third-party beneficiary rights on issuing banks, the court held. The merchant agreement expressly disclaimed the existence of any third-party beneficiaries. Likewise, the Visa Operating Regulations expressly stated that they did “not constitute a third-party beneficiary contract” and did not “confer any rights, privileges, or claims of any kind as to any third parties.”


The court dismissed the card issuers’ negligence claims because they suffered purely economic losses, which are unrecoverable, absent personal injury or property damage, in tort and strict liability actions under Massachusetts law.

Negligent Misrepresentation

The card issuers’ negligent misrepresentation claim was based on implied representations that the retailer and its processing bank allegedly had made to the issuing banks, indicating that they took adequate security measures in accordance with industry standards to safeguard personal and financial information. The court declined to dismiss the claim, noting that nondisclosure could form the basis of a negligent misrepresentation claim if there was a duty to disclose.

Questions regarding whether the retailer and the processing bank had a duty to disclose the allegedly deficient security practices—and, if so, whether the card issuers’ ostensible reliance on the implied security assurances was justifiable—were factual issues inappropriate for resolution on a motion to dismiss, the court pointed out.

Unfair Trade Practice Claim

The court also permitted the card issuers to pursue an unfair and deceptive practices claim under Chapter 93 of Massachusetts General Laws. TJX asserted that it had an insufficient relationship with the issuing banks to support a Chapter 93A claim. The court, however, allowed the unfair trade practices claim to the extent it was based on TJX’s alleged misrepresentation regarding its security practices.

The October 12 decision is In Re TJX Companies Retail Security Breach Litigation, CCH Guide to Computer Law ¶49,420. It will also appear in CCH Privacy Law in Marketing.

No comments: