TJX Victories From Judge, Visa

In a pair of crucial decisions, TJX has moved quite close to completely clearing itself of the lawsuits from the world's worst credit card data breach.

Those two rulings came from the federal judge overseeing the case—who refused to approve making the case a class-action—and from Visa, which said it would reduce its fine of TJX in exchange for the retailer paying banks as much as $40.9 million.

On Thursday afternoon, U.S. District Court Judge William Young denied the request to grant the bank class action certification request, ruling that the many of the banks' situations were too different from each other. Some of the banks had the expense of reissuing the cards while others didn't, for example.

That decision is quite likely to stand, but there are two possibilities for it to change. The U.S. Court of Appeals could overrule Young. Attorneys for the banks have 10 days from Thursday to file that appeal.

The judge himself added a footnote to his decision that his decision "will need to be reassessed" after he makes a decision on arguments he'll hear on Dec. 11. Those arguments involve a Massachusetts Fair Trade statute (Chapter 93A).

Assuming the judge's decision stands, it could all-but-kill the banks' actions against TJX because each bank would have to independently pursue litigation against TJX. That's going to be much more expensive than merely being a part of a large class-action effort and those banks have already spent money on the initial case.

Further complicating whether any of the plantiff banks would pursue independent lawsuits was a Friday statement issued jointly by TJX and Visa. Here's the full text of the Visa/TJX Agreement.

That Visa/TJX statement said that Visa would forgive "a portion" of the $880,000 that Visa had imposed on TJX's credit card processor. In exchange, TJX will pay an unspecified amount—all that the two said was that it wouldn't exceed $40.9 million—to an unspecified number of plaintiff banks.

The deal won't happen unless it's signed off on by "financial institutions representing 80 percent of the eligible U.S. Visa accounts affected by the data compromise," the TJX/Visa statement said.

To get any of the money, each bank would have to agree to not sue. That's why the Visa statement is so closely connected to the judge's class-action decision.

Banks have until Dec. 19 to accept the deal, the agreement said.

Visa has agreed to suspend any fines that are pending against TJX. "In addition, when Visa's Board of Directors rules on the pending appeal of the fines previously imposed on Fifth Third, the Board will at a minimum rescind the $500,000 Egregious Violation fine, based on the totality of the circumstances known to Visa, including the pre-breach conduct and post-breach efforts of Fifth Third and TJX and their decisions to enter into this Settlement Agreement," the agreement said.

Visa also agreed to restore TJX's credit and debit card interchange fee rates and it did more quickly than it would typically would have. "Such acceleration having reduced the interchange fees paid by TJX by an estimated approximately $10,000 per day," the agreement said.

Visa also promised to let TJX "participate in at least one pilot program of an appropriate security-related payment card technology, if any, that Visa introduces for or makes available for piloting by any merchants in TJX's class within the United States during the twenty-four month period following the date of this Settlement Agreement."

TJX also had to endure some pain, as the contract required that "TJX will serve on at least four occasions during the twenty-four month period following the date of this Settlement Agreement as a spokesperson in support of the goals of the Payment Card Industry."

Industry observers noted the timing of the movement, that the Visa deal was agreed to and filed with the SEC the same day as the judge's class action decision was filed. To resolve this case in the middle of the holiday shopping season would be helpful to retailers. Many of the banks would rather have this distracting case off of their plates as well and Visa is in the middle of a $10 billion IPO and would also rather have this case no longer hanging on.

"It's in everyone involved's best interest for this to go away. No one wants consumers to return to using cash or checks, so I think everyone would just like it to go away," said Paula Rosenblum, a retail analyst with Retail Systems Research. "After all, outstanding litigation is not good for IPO's, either."

Rosenblum's associate at Retail Systems Research, Brian Kilcourse, agreed, but added that it's still a mixed bag for the financial players.

"As to whether this is good for the issuing banks or not, I'm not sure it's such a good deal. Consider: as many as 96 million card numbers were exposed to compromise--and something more than 40 million were actually compromised. Security experts estimate that the total per card cost to issuing banks is something in the $25-35 dollar range. So $40 million doesn't begin to cover the true exposure."

Judge Young's decision to not support a class action certification was based on a wide range of factors. One key issue was whether these banks reissued their customers' cards because of the databreach or because of generic fraud risks.

Another key issue is whether TJX misled the banks about whether it was adequately protecting its data. The judge focused on whether banks believed what TJX said and whether they made important decisions based on those statements.

"The record before this Court raises significant questions about whether there was in fact class-wide reliance on TJX and Fifth Third's alleged misrepresentations. For instance, some banks appear to have considered only one factor — the need to keep up with the competition — when making their decisions about card issuance," Young wrote. "Another bank suggested that, at least in some situations, a merchant's failure to comply with data security standards would not cause the bank to alter its behavior. Yet another issuing bank indicated that its beliefs about TJX's security, whatever they may have been, did not influence what security steps it adopted. Furthermore, there is evidence that Visa informed at least some issuing banks that many merchants fail to comply with data security standards."

The judge also expressed concern that some of the plaintiffs and one of the defendants are both issuing banks, meaning that they handle credit card accounts for major retailers.

"While banks that serve only as issuers — such as the named plaintiffs in this case — would clearly benefit from a victory, 'mixed' banks may actually be negatively affected," Young said. "Indeed, a decision that acquiring banks can be held liable in circumstances such as these very well could come back to haunt such 'mixed' banks in the future. The 'mixed' banks' interest in shielding themselves from liability for millions of dollars if they are ever in Fifth Third's position is contrary to the named plaintiff's objectives."