On January 17, 2007, a computer hacker accessed the computer systems of TJX Companies, Inc., a parent company of T.J. Maxx, Marshall’s and other retailers, and stole sensitive and confidential information communicated during customer transactions dating back to 2003. Fraudulent use of this stolen information has thus far been detected in Florida, Georgia, Louisiana, Hong Kong and Sweden. As a result of this incident, numerous class actions have been fi led against TJX on behalf of consumers whose information was stolen.
In addition to the harm caused consumers, this security breach has also required banks to cancel hundreds of thousands of credit and debit card transactions. As a result, the incident spawned a class action, fi led by AmeriFirst Bank on behalf of other similar banks, that is currently pending against TJX in the U.S. District Court for the District of Massachusetts. AmeriFirst alleges claims for negligence, breach of contract and negligence per se, based on the failure of TJX to adhere to the customer records privacy and data security safeguards mandated by the Gramm- Leach-Bliley Act (“GLBA”). While the GLBA does not provide for a private right of action, AmeriFirst asserted an innovative argument. This theory alleges that the GLBA and the Federal Trade Commission’s rules provide for generally accepted standards of conduct, the breach of which constitutes negligence.
If this theory is accepted, it could result in added exposure and liability to fi nancial institutions across the country. Accordingly, all companies possessing confi dential consumer data will inevitably need to reevaluate their security systems to ensure that adequate safeguards are imposed to prevent similar incidents from occurring in the future. Companies should use the TJX example as motivation to assess whether they are compliant with the Payment Card Industry Data Security Standard, which requires merchants and Internet service providers to restrict access to cardholder data,5 as well as the Fair and Accurate Credit Transaction Act (FACTA) disposal rule, which requires that “any person who maintains or otherwise possesses consumer information for a business purpose” must take “reasonable measures” to prevent unauthorized use of discarded consumer information.6 The FACTA disposal rule also applies to employee information, such as background checks.