Court Zeroes In On What TJX Didn’t Say

Written by Evan Schuman
October 17th, 2007

As the bank lawsuit against TJX gets under way, the judge is focusing less on what TJX did and more on what TJX opted to not say.

TJX knew how "antiquated and deficient" its security efforts were and yet never told MasterCard or Visa, resulting in negligent misrepresentations. That’s how U.S. District Court Judge William Young summed up what the banks are going to have to prove to win at trial in his courtroom.

In an hour-long federal court hearing Tuesday in Boston, Young peppered attorneys from TJX, TJX processor Fifth Third Bank and banks suing TJX, providing a good sense of where a TJX bank trial might go.

TJX has reached a settlement with a class-action consumer lawsuit and Young is preparing to approve that settlement. That case went relatively easy on TJX because there were minimal—and often no—monetary damages suffered by consumers, thanks to zero-liability credit card programs.

But the banks are the ones who had to reissue credit cards and handle fraud losses so TJX is in for a more fierce fight in that arena.

Tuesday’s hearing involved whether Young would certify many of the banks to sue together as a class—making this into another class-action lawsuit—or whether they would have to proceed individually. Unlike the consumer case, the banks involved could indeed sue on their own, so the question of class certification isn’t likely to kill the case, regardless of how the judge ultimately rules.

The core accusation against TJX is that it was not truthful with the banks—and with Visa and MasterCard specifically—as to the state of its data security operations for its credit cards.

In what is widely considered the worst ever data breach reported, the retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006. TJX filings have raised questions about its encryption practices, its wireless security choices and whether intruders successfully planted Trojan horses into the system and whether they had the company’s encryption key.

In summarizing the plaintiff’s claim, Young said the fraud accusations seem to come down to what TJX did not say, rather than what it did.

"You’re going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didn’t speak and knew what its problems were and didn’t say to MasterCard and Visa that they weren’t encrypting and the like," Young said. "That’s why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests."

Added Young: "It would seem that the nature of the negligent representations by omission, if that’s really the plaintiff’s theory here, is a failure to be forthcoming to MasterCard and Visa about the antiquated and deficient operation within TJX. "

TJX attorney Richard Batchelder argued that the complicated nature of the relationships between banks and the credit card companies and the processors and TJX—coupled with the long duration of these data breaches—makes a class certification inappropriate.

"You described it as an implied security assurance. That means when some customer goes into a store and their card is swiped, that there’s some implied security assurance that in some way, through this complex web, (the assurance) gets back to these member banks and they somehow relied upon that," Batchelder said. "When you look at that as their basis for the negligent misrepresentation case, you can see how class certification isn’t appropriate. Think about it. They’re talking about transactions in 2003, ’04, ’05, ’06, ’07. They’re talking about operating regulations that weren’t even in existence in ’03 and ’04 that then came into effect in ’05 and then changed in ’06. They’re talking about a security system that in ’03, ’04, ’05, ’06, ’07 is developing and evolving, as every merchant’s security systems was. So what exactly is the representation being made every single time? How are we possibly going to try that on a class basis? It would be impossible."

TJX’s Batchelder also asked whether the many changes—and vagaries—surrounding the Payment Card Industry Data Security Standard (familiarly known in retail circles simply as PCI) didn’t further complicate matters.

"As you can imagine, TJX has been accepting credit cards and debit cards for a long time, well before this case came about. And when they made that decision (to accept credit and debit cards), there were no PCI standards, there were no rules and regulations as to how you store date or not store data and so forth. Those have all come out recently," Batchelder said. The PCI Council will "say you’re going to have to move to this standard by such and such a date. And so there’s this entire period of time when there’s a standard out there, but you don’t have to comply with it until Visa or MasterCard says you have to comply with it."

Another issue that cropped up a few times in the arguments is whether most banks automatically re-issued credit cards when they learned of the data breach. Attorneys representing some of the banks that are suing TJX said they did and that most banks would have reissued. TJX attorney Batchelder disagreed.

"They talk about 80 percent of banks have (reissued cards). They have the same survey, which they cite twice, that has 90 banks responding to it. That’s it. And those 90 banks, they’re not at all representative of the banks out there in the country. The largest issuers, it’s well-known they do not automatically reissue. It wouldn’t make any economic sense for them to automatically reissue," Batchelder said. " What they do is monitor and select reissuance if they see fraud because they’ve got sophisticated fraud monitoring. These plaintiffs didn’t have that so they just went out and reissued."

One of the attorneys for TJX card processor Fifth Third Bank, Breck Weigel, argued that the fraud accusation comes down to a legal issue of reliance. Reliance is where a company—such as the banks suing TJX—made business decisions that relied on the truthfulness and completeness of TJX statements. In this case, he said, it’s unlikely anyone would have believed those representations given what industry officials were saying at the time. He specifically cited an instance involving retailers storing Track 2 data, which is magnetic stripe information that is not supposed to be retained by any retailer.

"There is substantial evidence in this record that there was no reliance. We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI compliant," Weigel said. "So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesn’t exist."

Weigel also argued that a key issue of the case will also be next to impossible to prove: establishing that frauds requiring the card reissuances—and the associated costs—were directly and specifically related to TJX’s breach.

Given that almost one percent of all credit card transactions involve "some sort of fraud," Weigel said, there would have been a healthy number of fraudulent issues during that time period anyway. "The point is there have been a number of high profile credit card compromises. TJX is not the first and it’s not going to be the last. We have Ralph Lauren Polo, we have DSW, we have BJ’s here," he said.

One important theme that has underscored much of the TJX data breach saga has been secrecy, starting with TJX having learned of the breach in mid-December 2006 but not reporting it publicly until mid-January 2007. With so much of the law on its side in the consumer lawsuit, the most pressing matter getting TJX to settle was the fear of having to reveal embarrassing internal security details in open court.

Judge Young waited until the end of the hearing to address confidentiality and he lectured TJX’s attorneys on abusing discretion and operating in secret when dealing with what the judge called "so-called confidential data."

Young said that there some confidential elements to this case, including specific details that could allow cyberthieves to break into the systems of TJX and other retailers. "This court has and will respect that," he said.

"But because the Court has acknowledged that from the get-go, and will continue to respect that, you people have chosen to try to gain the litigation advantage for your respective clients in this case behind closed doors. You are taking a sweeping view of what is confidential and what the public cannot see. And you are sadly mistaken," the judge said. "I have carefully gone over the record before me with respect to this motion. There is only one fact, one, that falls within that ambit. And that’s the location of servers and that could have been worked around by use of equivalent phraseology or data. I have people redacting the names of experts here."

The judge then ordered all attorneys to halt sending documents directly to his chambers, labeled confidential. "You will not in the future file any document other than electronically, pursuant to the rules of this court. And the documents you file will be public. Entirely public. You will not file a document under seal and some (cleaned up) document that the public can look at. You will file a public document. If you think anything needs to be filed under seal, you will file a public document, supported by public affidavits, detailing why the specifics, and I am extraordinary skeptical of your view of what’s confidential. I’ve told you what’s confidential. Things that bear on the actual operation of the computers, the actual security standards for the computers, and the like."

The judge continued that he wanted attorneys to reveal much more to the public. "Given the nature of this case, I don’t see why any of this case, any of it, should be conducted out of the public’s spotlight and it will not be, unless there is a specific reason, persuasive to me, made in public documents," he said.

The judge then issued an order making his public records stance explicit. "I’m especially offended by a filing which said, pursuant to the protective order, we’re doing thus and so. I made it clear in the protective order, it had no application, none, to documents to be filed in court. Therefore, as a sanction for you people not paying attention to my statements along this line, these motions are all denied without prejudice to refiling within a week electronically in accordance with my order. We won’t have any other oral hearing."

Added the judge: "So file what you want to file publicly. I will pay attention to anything that’s filed publicly. None of the arguments we’ve had here, it seems to me — I mean, how do you calculate fraud loss?–it is not and should not be a secret."


One Comment | Read Court Zeroes In On What TJX Didn’t Say

  1. Mark Tordoff Says:

    Evan –

    Two things gall me about Batchelder’s response.

    One, he seems to assert that consumers somehow don’t believe security is implied when you use a credit card to make a purchase. I, for one, absolutely expect that when I am shopping.

    Second, he is blaming the lack of a regulation and then, once PCI DSS was established,the changes to the regulation for TJX’s poor security. The regulation is to assure the credit card companies of the merchant’s security. Certainly any merchant who values their customers would not wait for the credit card company to tell them how to secure cardholder data? Or, based on Mr. Batchelder’s comment, maybe they would. Wow!

    Finally, not only does he appear to be blaming the lack of a regulation, but he also implicates that TJX wasn’t secure because MasterCard and Visa didn’t begin enforcing the rules immediately. Gee, and most merchants are still saying the current deadlines are too soon more than 9 months after they were published.

    Wouldn’t it be refreshing to actually have someone at TJX accept responsibility and tell us what they’re doing to improve their security? These excuses are getting REALLY old.

    Unfortunately, with no negative impact in their retail stores or in the value of their stock, there’s not a lot of incentive for them to change how they’re dealing with this breach.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.