Where Does TJX Lie On The Naughty-Nice Line?

Almost all of the banks and bank associations still suing TJX agreed to settle for undisclosed sums on Wednesday, in an anticipated move following the collapse of bank's the federal class-action lawsuit against TJX. This all stems from the worst-ever data breach in credit card history, impacting more than 100 million credit/debit cards.

TJX issued a statement Wednesday evening that it had worked out settlement agreements with "all but one of the seven banks and bankers associations" that had sued TJX. The bank holding its ground is Alabama-based Amerifirst Bank.

TJX CEO Carol Meyrowitz issued a statement that TJX has finally achieved PCI compliance. While stressing that it was not releasing the particulars of the settlement, TJX's statement said "the amount paid by TJX primarily reimbursed the settling bankers associations and banks for a negotiated portion of the expenses they incurred in this case," although the banks issued a statement that the compensation specifically excluded attorney's fees.

As part of the settlement, the three bank associations involved—the Massachusetts Bankers Association, the Connecticut Bankers Association and the Maine Association of Community Banks—officially endorsed a TJX settlement with Visa.

"This alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms," said MBA President Daniel Forte. "The associations advise our members which are Visa issuers to review and favorably consider the offer structured by Visa and where appropriate, accept it prior to the December 19, 2007 deadline."

Presumably, the bank association had been worked out earlier, as it's hard to see that an endorsement announced at 5:11 PM on Dec. 18 would do much good in getting banks to agree to very complicated settlement terms by Dec. 19.

Legally, this case was a major uphill battle for both the consumers and the banks suing TJX because the essence of their cases was trying to prove that TJX was reckless in protecting consumer credit card data. And yet there is no federal or state law that requires a company to take prudent care of such data, which forces plaintiffs to get creative. One key claim, for example, was that TJX committed a fraud to these banks by not having volunteered how weak its security was.

The cases then came down to the quintessential civil court issue of making victims whole. But consumers lost virtually no money—thanks to zero-liability credit card programs—and most bank losses were either small or, TJX successfully argued, were the result of their decisions to take no chances and cancel credit cards, against what TJX also argued was industry standard procedure.

Once a federal judge dismissed the attempt for class-certification last month and forced banks to pursue the cases individually at the state level, most of the cases were doomed because few banks wanted to bother funding their own lawsuits, especially when they would have to pay to start all over again in state court.

Knowing this, TJX took what some bank attorneys have considered overly aggressive negotiation tactics. One bank in Tennessee, for example, had provable fraud losses of more than $150,000, but was offered a settlement of exactly $68, said Joe Whatley, one of the bank attorneys involved in the cases.