The TJX Case: It Lives! With a New Theory of Liability: "Unfairness"

The last two plaintiff-banks still breathing after 1st Circuit Appeal
Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.
However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter "Issuing Banks" or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the "Appellate Court"). The 1st Circuit's opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX's inadequate security amounted to an unfair business practices under Massachusetts's unfair and deceptive business practices law.

The main issue on appeal was the ruling on a motion to dismiss by the U.S District Court for the District of Massachusetts (the "District Court"). TJX and Fifth Third Bank (TJX's merchant bank; collectively referred to as "defendants") had asked the District Court to dismiss all of the counts alleged in the Issuing Bank's complaint, including: (1) negligence; (2) breach of contract; (3) negligent misrepresentation; and (4) unfair or deceptive business practices under chapter 93A (Massachusetts's consumer fraud statute). The District Court dismissed the negligence and breach of contract claim, but allowed the negligent misrepresentation claim and the 93A claim (which was based on negligent misrepresentation) to proceed. Negligent Misrepresentation The Appellate Court ultimately refused to dismiss the plaintiff's negligent misrepresentation claim. However, the Court took a different path than the District Court. First, the court noted that the plaintiffs were not alleging any actual misrepresentation, but rather the plaintiff's "negligent misrepresentation" was based purely on the defendants' conduct in performing credit card transactions (in fact, the Appellate Court also referenced the defendants' conduct in the form of entering contracts requiring certain credit card security measures). While conduct can be part of a misrepresentation, the link between the conduct and the implication must be "tight." This link may be established by a combination of words and conduct concerning the alleged misrepresentation. The Court then pointed to another Massachusetts's State credit card breach lawsuit (Cumis Ins. Soc. Inc. v. BJ Wholesale Club, Inc. 23 Mass. L. Rep. 550 [Mass Super. 2005]) that granted a defendant a motion for summary judgment on the issue of negligent misrepresentation. In that case, the motion was granted because the implied misrepresentation was based purely on conduct. Based on this the Appellate Court refused to dismiss the negligent misrepresentation count on a motion to dismiss. In its view, the claim was properly pleaded in the complaint, and the proper method for dismissal of the case would be a motion for summary judgment (assuming the plaintiffs could not provide evidence to support their allegations). In its parting words, the Appellate Court ultimately indicated that the claim was "on life support." (e.g. likely to be dismissed on motion for summary judgment). The Appellate Court also considered the District Court's denial of class certification with respect to the negligent misrepresentation claim, and ultimately upheld the District Court's denial. As such, even if the plaintiffs can establish negligent misrepresentation it appears they will have to do so for each individual plaintiff (rather than a class of plaintiffs). Chapter 93A "Unfair" or "Deceptive" Trade Practices The Appellate Court's ruling on the Issuing Banks' 93A claim was actually a bit surprising. The non-surprising aspect was the court's decision to uphold the plaintiff's 93A claim based on negligent misrepresentation. Since the base negligent misrepresentation claim was allowed to stand, the 93A claim based on the misrepresentation also stood, albeit with the same defects according to the Court. The surprise was the Appellate Court's reversal of the dismissal of the plaintiff's other 93A claim. 93A provides a claim for "unfair" or "deceptive" trade practices as between businesses, and "unfairness" can be established by reference to other appropriate sources of law The plaintiffs had alleged that the defendant's lack of security measures, based on various consent decrees issued by the FTC, amount to a violation of the Federal Trade Commission Act, and therefore an "unfair" practice under 93A. The District Court disagreed and held that consent decrees are not appropriate sources of law for purposes of 93A. In reversing the dismissal, the Appellate Court recognized that the plaintiffs allegations went beyond consent decrees and relied on an actual FTC complaint against TJX for the very breach at issue, as well as two other security breach complaints alleging that the lack of appropriate security measures equated to an unfair act or practice. The court noted that use of FTC precedent was directly referenced in 93A itself, and that at least one other Massachusetts court had allowed FTC complaints to serve as the basis of 93A actions. The court also noted that "adjudicated" FTC cases were even more potent (although did not clarify whether a "consent decree" amount to an adjudicated FTC case). Moreover, the Appellate Court rejected TJX's argument that it did not have a close enough business relationship to the Issuing Banks. The Court also refused to limit a 93A actions to "egregious conduct" or "deliberate wrongdoing" at this stage. Rather, this issue was one that would have to be resolved after discovery in the District Court. Negligence The District Court dismissed the plaintiffs' negligence claim based on the "economic loss doctrine", which holds that "purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage." On this claim the plaintiffs argued that they had suffered property damage because they had a property interest in the payment card information which the breach rendered worthless. The Appellate Court disagreed. It recognized that electronic data can have value and that value can be lost, but the loss must be as a result of the physical destruction of property. That was not the case for this security breach, and the District Court's dismissal was upheld. Breach of Contract - Third Party Beneficiary Theory The Appellate Court upheld the District Court's dismissal of the plaintiff's breach of contract claim. Under this theory, the Issuing Banks argued that they were the intended beneficiary of the contract between Fifth Third and TJX. That contract, however, contained the following express provision disclaiming third party beneficiaries:

This Agreement is for the benefit of, and may be enforced only by, Bank [Fifth Third] and Merchant [TJX] . . . and is not for the benefit of, and may not be enforced by any third party.

The plaintiffs argued that this provision was superseded by the Visa and Mastercard Operating Regulations. The court noted that those regulations do indicate that they prevail in any conflict with the provisions of a merchant account, but in this case the court noted, those provisions did not conflict with the third party beneficiary disclaimer in the TJX merchant agreement. The Appellate Court construed the following language in the Mastercard agreement as disclaiming third party beneficiary rights: [Mastercard] "shall have the sole right to interpret and enforce" [its operating regulations]. The Visa Operating Regulations were more explicit, indicating that those regulations "do not constitute a third-party beneficiary contract as to any entity or person . . . or confer any rights, privileges, or claims of any kind as to any third parties." Note that it does not appear that this type of disclaimer existed in early versions of the Visa Operating Regulations (see the use of third party beneficiary theory in the B.J. Wholesaler's case) Class Certification One of the biggest risks for defendants, even where weak theories of liability exist that are likely to yield small recoveries, is the prospect of certification of large plaintiff classes. The District Court held that class certification was not appropriate for the surviving negligent misrepresentation claim and 93A claim (based on negligent misrepresentation). The District Court reasoned that class certification was inappropriate because negligent misrepresentation requires proof that each individual plaintiff relied on the misrepresentation. The Appellate Court, however, questioned whether the newly revived 93A "unfairness" cause of action would require an individual finding with respect to each plaintiff. The Appellate Court noted that the unfairness theory appears to consider what the defendants did (or failed to do) rather than the Issuing Bank's reliance on any misrepresentation. Ultimately, the Appellate Court did not issue an opinion on the certification of the 93A unfairness claim, and instead remanded the question back to the District Court. Conclusion For the most part the Appellate Court's decision represents a victory for TJX, but does open the door to some uncertainty. While the negligent misrepresentation claims (common law and the 93A claim) is viable, class certification has been denied. The plaintiffs have indicated that they will attempt to better define the classes to remedy this defect, but at this point it appears they would have a very difficult road. The "unfairness" theory under 93A, however, presents a wild card. The "unfairness" doctrine has been used by the FTC to allege that a company's security itself was inherently unreasonable and therefore "unfair." Those FTC cases resulted in consent decrees and therefore the unfairness theory has never been truly tested (one commentator believes it was improperly employed by the FTC). Yet it provides a potential hook, especially in this case where TJX was found to have been in non-compliance with 9 of the 12 PCI requirements. Even so, the question remains whether the Issuing Banks will be able to establish damages under 93A. Notably, considering that most States have a similar deceptive practices laws on the books (although not all of them with private causes of action), this "unfairness" theory could have wider application in the security breach context.