TJX -- Banks File Expert Opinion

This is a very interesting read. The banks suing TJX retained an expert (former security guru for MasterCard) to opine on TJX's failure to follow security standards. In particular, PCI. You can find the expert opinion that was filed with the court here: Bank Expert Opinion

A few interesting points:

(1) PCI is being set up as the legal standard of due care. It does not appear that compliance was very close in this one, but for cases on the fringe, we are going to have courts deciding what compliance with PCI means; and

(2) the expert used reports generated by TJX's own security auditors against TJX.

On number (2), I always advise my clients to attempt to get their audits under the umbrella of attorney-client privilege (or work product). Basically, retain the security assessor as an expert to assist with legal/regulatory compliance review. This it at least gives an argument of attorney-client privilege and may allow companies like TJX to keep these extremely damaging reports out of evidence (although admittedly the privilege is often leaky). Not sure if that was done in the TJX matter (if it was, does anybody know how they lost the privilege?)

TJX Motion to Dismiss Bank's Claims

I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link

Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.

However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.

While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.