The lawsuit stems from a data breach at BJ's that was discovered in 2004 in which hackers gained access to the retailer's network and stole 9.2 million credit card numbers. Thieves subsequently racked up millions of dollars in transactions using the stolen cards. As a result of the breach, the credit unions, which originally issued the stolen MasterCard and Visa cards, had to pay costs associated with canceling the cards and reissuing new ones.After the breach was discovered, BJ's admitted that the transaction processing software it was using permanently stored magnetic stripe data from credit cards after transactions were completed, allowing cybercrooks to steal the data once they breached the merchant's network.
Storing magnetic stripe data after a transaction is completed is in violation of Visa and MasterCard payment card data security standards, which predated the current PCI DSS mandates. BJ's had a contract with its acquiring bank, Fifth Third Bank, and both organizations had a contract with the card brands that they would comply with their security guidelines.
A year after the breach, roughly 70 credit unions and their insurance company, CUMIS Insurance Society, sued BJ's and Fifth Third. The plaintiffs claimed they were third-party beneficiaries of BJ's contract with Fifth Third, entitling them to relief for damages that resulted from the breach.
Also, the plaintiffs alleged that with each transaction that was submitted for approval, BJ's and Fifth Third falsely represented that they were contractually compliant to maintain the security of the credit unions' cardholder information.The case was previously dismissed by two lower courts, which found that BJ's contract with Fifth Third excluded enforcement of the contract by third parties. The credit unions were contesting the decisions in appeals court when the Supreme Court took up the case.
“Since the plaintiffs concede that the defendants made no direct representations to the plaintiffs concerning the defendants' level of compliance with the Visa and MasterCard regulations, the plaintiffs base their negligent misrepresentation claims, like their fraud claims, on the defendants' ‘promises to Visa and MasterCard' and BJ's ‘promises to Fifth Third' to abide by their contractual obligations to comply with Visa and MasterCard's operating regulations,” Associate Justice Judith Cowin wrote in an opinion on behalf of the Massachusetts Supreme Judicial Court.