Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing.
Framingham, Mass.-based TJX, which operates more than 2,000 locations, including hundreds of Marshall’s and T.J. Maxx stores, was named in lawsuits in Illinois, Michigan, Ohio, Texas and Missouri, according to the filing with the Securities and Exchange Commission (SEC). The company previously has been named in lawsuits in Massachusetts, Alabama and California and in Puerto Rico and six Canadian provinces.
The plaintiffs mostly contend in the lawsuits that TJX exhibited "negligence" related to the intrusions in which thieves quietly pilfered sensitive customer data for two years until TJX detected the breach last December.
A company spokesperson did not return a telephone call for comment. CEO Carol Meyrowitz apologized for the breach to a number of stockholders at the company’s annual shareholders meeting earlier this week.
Some of the new lawsuits also name Cincinnati-based Fifth Third Bank, the credit card processor for TJX, as a defendant. A bank spokesperson could not immediately be reached for comment.
The banks responsible for issuing the credit and debit cards must cover the millions of dollars of costs associated with the breach, according to most state laws. But by filing the lawsuits, banks and customers are calling for TJX to be held liable, Diana Kelley, an analyst with the Burton Group, told SCMagazine.com today.
"They’re saying, ‘We’d like somebody to absorb the costs of this. We didn’t do anything improper, yet we’re incurring huge fees for the replacement of these cards and the notifications to cardholders.'"
Kelley said Minnesota has approved a law that shifts the burden to the merchants in the event of a data breach, and Massachusetts and Texas are considering similar measures.
"I’m looking at this as a watershed moment," she said. "I do think we will look back [at TJX] and say, ‘This really started to change things.’"
The SEC filing also reported that TJX is the subject of a 37-state attorneys general investigation studying whether the company violated any laws related to consumer protection. TJX is not believed to have been Payment Card Industry (PCI) compliant because Visa has since said it is not aware of any compliant companies ever being breached.
At least one financial institution is not waiting for a court to decide whether TJX is responsible to absorb fees. According to media reports, Brockton, Mass.-based HarborOne Credit Union has billed the company for $590,000 – $90,000 to replace credit cards and $500,000 for alleged brand reputation damage.
Meanwhile, TXJ on Thursday reported 2007 sales are up three percent compared to the same 17-week period last year.
Get more IT security news. Click here for SC Magazine Blogs.