Mass. Supreme Court throws out lawsuit against BJs over '04 data breach

The Massachusetts Supreme Judicial Court affirmed a lower court ruling dismissing a lawsuit brought against BJ's Wholesale Club by dozens of credit unions over a 2004 data breach.

The court held that the credit unions could not seek restitution from BJs on their claims that the wholesaler had breached a third-party contract and had misrepresented facts about its compliance with payment industry security standards.

The ruling last Friday is similar to numerous others that have been handed down by courts in recently and highlights the challenges that plaintiffs face in winning tort actions against companies that suffer massive data breaches.

Just last week, a federal court in New Jersey threw out a shareholder lawsuit against Heartland Payment Systems that disclosed a major data breach in January. The court essentially said that the data breach by itself did not demonstrate Heartland's lack of commitment to maintaining a high level of security.

Framingham, Mass.-based BJs in March 2004 disclosed that hackers had gained access to systems that stored credit-card transaction data. The initial intrusion had taken place in July 2003, but the breach wasn't discovered until Feb 2004. In that time, the hackers responsible for the intrusion, who have since been arrested , accessed magnetic stripe data on more than 9 million credit and debit cards.

BJs later admitted that the compromise stemmed from its failure to purge magnetic stripe data from its systems as it was required to under payment card industry security standards mandated by MasterCard and Visa. Credit unions and banks had to spend millions of dollars blocking and reissuing cards that were compromised in the breach. Many also had to deal with fraud arising from the use of the stolen card data.

More than 60 credit unions along with their insurer CUMIS Insurance Society Inc, sued BJs in April 2005. The lawsuit claimed that the wholesaler's failure to purge the prohibited data violated an agreement it had with Fifth Third Bank, the "acquiring" financial institution which was responsible for processing BJs credit-card transactions. As an acquiring bank, Fifth Third was responsible for ensuring that BJs complied with all of the requirements of MasterCard and Visa's payment card industry security standards.

The credit unions claimed that they were one of the intended third-party beneficiaries of the contractual agreement between BJs and Fifth Third Bank. They argued that BJs' breach of that contract also represented a breach of the third-party beneficiary contract. They also claimed that BJs had been negligent in its duty to protect cardholder data and had negligently misrepresented facts about its compliance with payment industry security standards when in fact it wasn't.

Two lower courts, however, dismissed the claims and the case was in the process of being appealed by the credit unions when the Supreme Court on its own initiative transferred the case from the Appeals Court.

In its ruling affirming the appeals court opinion, the high court noted that the contract between BJs and Fifth Third had been an exclusive contract between the two entities that was not meant to be enforced by third parties.

"That the plaintiffs derive a benefit from a contract between others does not make them intended third-party beneficiaries and does not give them the right to enforce that agreement," associate Justice Judith Cowin wrote on behalf of court.

In dismissing the negligence claims, the court held that the credit unions had failed to establish that BJs owed them a legal duty and that it was the breach of this legal duty that caused them injury. Since the only injury in this case was economic loss and since there was no physical harm or property damage involved, the credit unions were barred from pushing ahead with negligence claims, the court said. The court also held that any assertions BJs may have made about its being compliant with payment industry security standards did not quite mean the company was willfully or negligently misrepresenting facts.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter @jaivijayan , send e-mail at or subscribe to Jaikumar's RSS feed? .

More from IDG:

Original story