The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”
Posted on May 2nd, 2009 by David Navetta InfoSecCompliance.com The last two plaintiff-banks still breathing after 1st Circuit Appeal
Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.
However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter “Issuing Banks” or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the “Appellate Court”). The 1st Circuit’s opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX’s inadequate security amounted to an unfair business practices under Massachusetts’s unfair and deceptive business practices law.
The main issue on appeal was the ruling on a motion to dismiss by the U.S District Court for the District of Massachusetts (the “District Court”). TJX and Fifth Third Bank (TJX’s merchant bank; collectively referred to as “defendants”) had asked the District Court to dismiss all of the counts alleged in the Issuing Bank’s complaint, including: (1) negligence; (2) breach of contract; (3) negligent misrepresentation; and (4) unfair or deceptive business practices under chapter 93A (Massachusetts’s consumer fraud statute). The District Court dismissed the negligence and breach of contract claim, but allowed the negligent misrepresentation claim and the 93A claim (which was based on negligent misrepresentation) to proceed.
Negligent Misrepresentation
The Appellate Court ultimately refused to dismiss the plaintiff’s negligent misrepresentation claim. However, the Court took a different path than the District Court. First, the court noted that the plaintiffs were not alleging any actual misrepresentation, but rather the plaintiff’s “negligent misrepresentation” was based purely on the defendants’ conduct in performing credit card transactions (in fact, the Appellate Court also referenced the defendants’ conduct in the form of entering contracts requiring certain credit card security measures). While conduct can be part of a misrepresentation, the link between the conduct and the implication must be “tight.” This link may be established by a combination of words and conduct concerning the alleged misrepresentation.