Few people have not heard of the TJX class action that is currently pending in federal district court in Boston.  At least, few people have not heard of the events which gave rise to the claims.  But a closer look at the filings in that case reveal how procedurally complicated such claims really are and more importantly, how customers are still viewed as not suffering sufficient harm to warrant any significant award of damages. 

The crazy part of course is TJX’s reaction to the breach in question.  The breach is reported to be much much larger than initially acknowledged.  Just to put things into perspective, TJX originally said that 45 million accounts were compromised.  The latest reports put that figure closer to 94 million!  It’s tough to know how to react to that. Reports also have surfaced that (Threat Level blog):

Evan Schuman has a slew of stories on all aspects of the data breach (e.g., here). 

It’s surprising to learn the the focus of the dispute pending in the federal district court in Boston is actually the claims of the financial institutions – the card issuers, not the consumers.  Earlier in October, the court heard a Motion to allow the dispute to proceed on a class action basis.  (Access one of the class certification motions here.)  The court has yet to rule on that issue, but it revealed much about it’s perspective on the dispute.  As Schuman reports on the court's comments, the case could come down to a mis-representation/negligent misrepresentation theory – i.e., that TJX failed to advise the card issuers of its lax security procedures:

You're going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didn't speak and knew what its problems were and didn't say to MasterCard and Visa that they weren't encrypting and the like . . . .  That's why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests.  It would seem that the nature of the negligent representations by omission, if that's really the plaintiff's theory here, is a failure to be forthcoming to MasterCard and Visa about the antiquated and deficient operation within TJX.    

Note that the financial institutions are not arguing really that TJX failed to abide by its affirmative obligations to safeguard customer credit card information.  (They did bring some such claims but it appears the Court dismissed those, leaving mostly a misrepresentation theory standing.)  While the reports seem to show that TJX had sufficient notice of its lax procedures that plaintiffs will have ample ammunition to make the requisite showing, this is not always the case. 

As for the individual customers?  pwned.  

There’s really not much else you can say to describe their situation.  Of course, the rules in place between the customers and card issuers dramatically limit the individual liability of customers for improper use of their card information.  Or so the theory goes.  It's tough to not envision customers spending hours sorting through the issues and battling (on the phone) with the card issuers.  But it seems like the court is inclined to approve a settlement which requires TJX to give each customer the choice between a $30 voucher (which, as expected, can be spent at a TJX store) or $15 in cash.    An attorney for the individual customers originally filed a state court class action lawsuit.  TJX removed, consolidated the lawsuit with the one brought by the financial institutions.  The individual customers moved to return the dispute to state court but the court denied their request.  (You can access that order, which provides a great overview of the procedural minefield -- from the individual plaintiffs' perspective -- that is this case, here.)