Computerworld - The Massachusetts Supreme Judicial Court affirmed a lower court ruling dismissing a lawsuit brought against BJ's Wholesale Clubby dozens of credit unions over a 2004 data breach.
The court held that the credit unions could not seek restitution from BJs on their claims that the wholesaler had breached a third-party contract and had misrepresented facts about its compliance with payment industry security standards.
The ruling last Friday is similar to numerous others that have been handed down by courts in recently and highlights the challenges that plaintiffs face in winning tort actions against companies that suffer massive data breaches.
Just last week, a federal court in New Jersey threw out a shareholder lawsuit against Heartland Payment Systems that disclosed a major data breach in January. The court essentially said that the data breach by itself did not demonstrate Heartland's lack of commitment to maintaining a high level of security.
Framingham, Mass.-based BJs in March 2004 disclosed that hackers had gained access to systems that stored credit-card transaction data. The initial intrusion had taken place in July 2003, but the breach wasn't discovered until Feb 2004. In that time, the hackers responsible for the intrusion, who have since been arrested, accessed magnetic stripe data on more than 9 million credit and debit cards.
BJs later admitted that the compromise stemmed from its failure to purge magnetic stripe data from its systems as it was required to under payment card industry security standards mandated by MasterCard and Visa. Credit unions and banks had to spend millions of dollars blocking and reissuing cards that were compromised in the breach. Many also had to deal with fraud arising from the use of the stolen card data.
More than 60 credit unions along with their insurer CUMIS Insurance Society Inc, sued BJs in April 2005. The lawsuit claimed that the wholesaler's failure to purge the prohibited data violated an agreement it had with Fifth Third Bank, the "acquiring" financial institution which was responsible for processing BJs credit-card transactions. As an acquiring bank, Fifth Third was responsible for ensuring that BJs complied with all of the requirements of MasterCard and Visa's payment card industry security standards.
The credit unions claimed that they were one of the intended third-party beneficiaries of the contractual agreement between BJs and Fifth Third Bank. They argued that BJs' breach of that contract also represented a breach of the third-party beneficiary contract. They also claimed that BJs had been negligent in its duty to protect cardholder data and had negligently misrepresented facts about its compliance with payment industry security standards when in fact it wasn't.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
Richi Jennings: Eolas shakedown -- please don't feed the (patent) trolls