After TJX Companies announced early this year that hackers had stolen 45.7 million credit and debit card numbers–the largest data security breach in U.S. history–consumers, banking associations and a pension fund quickly took the retail giant to court.

Several consumer class actions accuse TJX, which operates 2,500 T.J. Maxx, Marshalls and HomeGoods stores, of negligence for failing to maintain adequate security and for failing to disclose the breach for a month. Three state banking associations seek recovery of “dramatic costs” they say their 300 member banks incurred in replacing credit cards and covering the costs of fraudulent purchases. The Arkansas Carpenters Pension Fund–which owns 4,500 shares of TJX stock–sued for access to records to see whether TJX's board was properly overseeing customer data protection. TJX's card processor, Fifth Third Bank, is a co-defendant in some of the suits.

Privacy law experts are closely watching the cases. According to the non-profit Privacy Rights Clearinghouse, these types of breaches have exposed more than 158 million records of U.S. residents since January 2005. But the courts consistently have shot down efforts by consumers, banks and other parties to recover damages. Companies faced with a breach can't afford to be complacent, though. Plaintiffs are testing new arguments in the TJX case and others, and rapidly evolving state privacy laws are opening new avenues for them to pursue.

“We're continuing to see a perfect storm with a large number of new laws with potentially conflicting requirements and ongoing security breaches that should point us to more litigation,” Kirk Nahra, partner in Wiley Rein, told a Practising Law Institute privacy forum in July. “If someone breaks the bank with a class action, a lot of plaintiffs' attorneys are on the sidelines waiting.”

Fear Factor

The plaintiffs' attorneys are still on the sidelines in part because the major federal privacy laws, including Gramm-Leach-Bliley and HIPAA, preclude private rights of action. Many state laws also give attorneys general enforcement power and preclude consumer suits.

“The states feel that a lot of laws are overenforced by private litigants and drive up costs on business,” says Andrew Serwin, partner in Foley & Lardner. “Before you see class actions take off, we will have to see more statutes that include statutory damages.”

Judges dismissed most of the consumer cases that have come to court because the plaintiffs couldn't show damages. That's because banks typically reimburse cardholders for all but $50 of illegitimate charges on their accounts. While identity theft can result in real damage, security breaches rarely lead to identity theft. In a report released in July, the General Accounting Office studied 24 major security breaches and found that only three resulted in identity theft.

Consumer suits often cite the distress of potential identity theft, but the courts consistently have held that fear of identity theft alone does not trigger damages. In a series of 2006 cases, federal courts in the Southern District of Ohio, the Eastern District of Arkansas, the Central District of Illinois, the District of Minnesota and the District of Arizona rejected consumer actions asserting that increased risk of identity theft justifies damages. The courts said that potential future injury from loss of personal data did not satisfy the requirement of “injury in fact.”

“Plaintiffs are still struggling with the square-peg-in-a-round-hole problem,” Nahra said. “They think a wrong occurred but they don't know what to call it.”

Mitigation Litigation

Consumers aren't alone in their struggle to recover damages after security breaches. The first major cost-mitigation suits, filed against BJ's Wholesale Club Inc., failed to recover anything.

After hackers accessed bank and debit card data of the customers of a BJ's Wholesale Club in Miami in 2005, the FTC issued a complaint against BJ's for failing to provide “reasonable security” for its computer network. Two banks and a credit union then sued BJ's in Pennsylvania federal court, seeking recoveries of the costs they incurred as a result of the breach. BJ's joined IBM, from which it had purchased software used for electronic transactions, claiming it had specifically requested that the software delete identifying information once the system validated a transaction.

The plaintiff financial institutions alleged they were third-party beneficiaries of a contract between BJ's and its card processor, Fifth Third Bank, which obligated BJ's to follow certain security practices. The court rejected this claim because the contract specified that there were to be no third-party beneficiaries. It also rejected negligence claims under the “economic loss doctrine”–the rule barring negligence claims for economic damages unless there has been physical injury to either a person or property.

Banknorth also asserted an “equitable subrogation” claim on behalf of cardholders. But the court said the cardholders had not lost anything because the bank covered unauthorized card use, so there was no claim for the bank to pursue on its customers' behalf. The judge threw out most of BJ's claims against IBM early in the case, and once he had dismissed all claims against BJ's, the rest of its claims became moot.

What's Ahead

Despite the fate of the BJ's litigation, the banking associations that filed suit against TJX claim their case will succeed because Massachusetts, where they filed suit, allows a statutory unfair trade practices claim. They also will claim negligent misrepresentation because TJX represented that it was safeguarding cardholder data.

Whether TJX will be the breakthrough case remains to be seen. In the meantime, point-the-finger suits are emerging as an important factor for all parties that handle consumer data to consider.

“That wave of litigation over who carries the responsibility is just cranking up,” says Scott O'Connell, partner in Nixon Peabody. “We'll see it for some period of time until the lawyers on the transactions side more carefully assess those risks and contract for it.”

Meanwhile, states are starting to pass data security laws that create causes of action for injured parties. If passed by Congress, comprehensive federal privacy legislation may also assign liability and provide statutory damages for consumers.

“You're going to see either the federal or state governments move to say, 'This is how we're going to deal with these issues, here's who's going to bear the risks, here are the requirements–violate them at your risk,'” Serwin says.