This is a very interesting read. The banks suing TJX retained an expert (former security guru for MasterCard) to opine on TJX's failure to follow security standards. In particular, PCI. You can find the expert opinion that was filed with the court here: Bank Expert Opinion
A few interesting points:
(1) PCI is being set up as the legal standard of due care. It does not appear that compliance was very close in this one, but for cases on the fringe, we are going to have courts deciding what compliance with PCI means; and
(2) the expert used reports generated by TJX's own security auditors against TJX.
On number (2), I always advise my clients to attempt to get their audits under the umbrella of attorney-client privilege (or work product). Basically, retain the security assessor as an expert to assist with legal/regulatory compliance review. This it at least gives an argument of attorney-client privilege and may allow companies like TJX to keep these extremely damaging reports out of evidence (although admittedly the privilege is often leaky). Not sure if that was done in the TJX matter (if it was, does anybody know how they lost the privilege?)