The First Circuit Court of Appeals has ruled that, by accepting credit cards for payment, retailer TJX and its processing bank, Fifth Third, could have negligently misrepresented to credit and debit card issuers that their data security practices were in compliance with the security protocols established by VISA and MasterCard operating regulations. The First Circuit also ruled that, based on either on the issuers’ claim of negligent misrepresentation or a possible violation of Section 5 of the Federal Trade Commission Act, TJX and Fifth Third could have engaged in deceptive practices in violation of Chapter 93A of Massachusetts General Law. While Chapter 93A may require egregious conduct, systemic recklessness, as distinct from deliberate wrongdoing or self-benefit, may be sufficient to sustain a claim.

After a security breach in 2005, in which computer hackers gained access to TJX’s wireless network and compromised the security of more than 45 million customer accounts, credit and debit card issuers filed suit against TJX and Fifth Third to recover losses they sustained as a result of fraudulent use of cardholder information.