Bigger Trouble for TJX

Apparently, the TJX breach could have been bigger than previously estimated. According to court papers filed by plaintiff banks and bankers associations seeking class certification (described in this article from Computer World, TJX's breach actually exposed 94 million records, not the 45 million records previously announced. According to the banks, the costs to card issuing companies on Visa accounts alone already total between $68 and $83 million.
So what will the practical effect of all this be for TJX? More bad publicity for one, but that shouldn't be a surprise. There will also be higher legal fees, since more money at stake means that everyone involved will fight more tenaciously. Will TJX be forced to pay the bank's losses? That's a more interesting question. Individuals who try to recover from retailers who suffer from data breaches generally have little success (see, e.g., this post about a case which was thrown out in the seventh circuit). However, the bankers might have better luck. Individuals often lose because courts determine that they can't prove damages from a breach, but the bankers are in a much better position to put actual numbers on the harm they claim to have suffered. On the other hand, the current case is taking place in Boston, and Massachusetts (like every other state in the country except Minnesota) does not have a law which shifts costs of a breach from banks to retailers. This is the case even though Massachusetts was considering such a law earlier this year (see here for an article on that proposed law). My guess is that courts would be reluctant to shift costs from retailers to banks when the legislature considered and rejected such a cost shift itself.
Happily, I'm not personally involved in this case, so I can just watch and see how it shakes out.