Three state banking associations announced Tuesday that they have filed a joint lawsuit against TJX Companies over "dramatic costs" their 300 members have incurred since the discount retailer announced that hackers infiltrated its processing systems, exposing some 45 million credit card numbers.
The Massachusetts Bankers Association (MBA), the Maine Association of Community Banks, and the Connecticut Bankers Association are co-plaintiffs in the lawsuit against Framingham, Mass.-based TJX.
The company, which operates about 2,500 stores including Marshalls and T.J. Maxx outlets, revealed late last month that hackers stole 45.7 million pieces of data when they illegally accessed TJX databases during 2005 and 2006.
Merchant banks have been forced to cover replacement cards — up to $25 each — as well as any costs associated with fraudulent purchases, the MBA said in a statement. The organization has previously said the stolen data was used for purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden.
"Cases of fraud due to the TJX breach have been reported all over the world," the statement said. "At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of ‘hot' cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed the problem."
Daniel Forte, president and CEO of the MBA, said the three banking associations are seeking the recovery of "tens of millions of dollars" in damages.
The lawsuit could have merit if TJX acted with negligence, Forrester vice president and research director Jonathan Penn told SCMagazine.com today.
"That's the burden they're going to face in this suit," he said.
Andy Serwin, a San Diego lawyer specializing in data privacy and security, told SCMagazine.com that in his experience, many lawsuits similar to this one get tossed out in court. He said it is difficult for plaintiffs to make a case because many of the laws governing electronic privacy allegations have yet to be fully understood.
"The states are all over the place," he said. "You're applying old law to situations that were never anticipated. Where the line is going to get drawn ultimately, it's not that clear yet."
He said some states will let retailers off the hook if a criminal act caused the data exposure.
"Ultimately, we're going to see new insurance products out there to deal with risk," Serwin said.
A legal debate such as this may soon be unnecessary in Massachusetts. State lawmakers have proposed a bill that makes retailers responsible for data losses.
A TJX spokesperson could not immediately be reached for comment.
Click here to email reporter Dan Kaplan.