In Re TJX Companies Retail Security Breach Litigation

524 F. Supp. 2d 83, 2007 U.S. Dist. LEXIS 77236, 2007 WL 2982994

• Court: District Court, D. Massachusetts
• Decided: October 12, 2007
• Docket: Civil Action 07-10162-WGY
• Status: Published

Opinion

MEMORANDUM AND ORDER

YOUNG, District Judge.

I. INTRODUCTION

In what has been described as the largest retail security breach ever, criminals hacked into the computer systems of TJX Companies, Inc. (“TJX”) and compromised the security of at least 45,700,000 customer credit and debit accounts. See Joseph Pereira, Breaking the Code: How Credit-Card Data Went Out Wireless Door, Wall St. J., May 4, 2007, at Al. Financial institutions have brought suit seeking to recover their costs arising out of the resulting fraudulent transactions and the need to replace the compromised cards.

II. PROCEDURAL BACKGROUND

As described in McMorris v. TJX Companies, Inc., 493 F.Supp.2d 158, 160-61 (D.Mass.2007), numerous cases were filed after TJX disclosed that its data security had been compromised. Almost immediately, this Court began consolidating the cases filed in the District of Massachusetts.. See id. The Multi-District Litigation Panel subsequently entered an order transferring to this session of the Court all the cases filed in federal courts wherever located. In re TJX Cos. Customer Data Sec. Breach Litig., 493 F.Supp.2d 1382, 1383 (J.P.M.L.2007).

Once consolidated, this case proceeded on two separate tracks: a Consumer Track for a putative class action brought by consumers, and a Financial Institutions Track for a putative class action brought by issuing banks. The issuing banks asserted claims against TJX as well as Fifth Third Bank and Fifth Third Bancorp (“Fifth Third”) for (1) breach of contract; (2) negligence; (3) negligent misrepresentation; and (4) violation of Massachusetts General Laws chapter 93A. Am. Compl. [Doe. No. 81] (“TJX Compl.”) ¶¶ 89-123; Am. Compl. [Doc. No. 82] (“Fifth Third Compl.”) ¶¶ 69-85, 94-101. The issuing banks further assert claims against Fifth Third based on negligence per se. Fifth Third Compl. ¶¶ 86-93. 1

TJX and Fifth Third moved to dismiss both tracks. The Consumer Track has since settled in principle, thus apparently mooting the motions to dismiss that track. The motions to dismiss the Financial Track are the subject of this memorandum.

III. FACTUAL ALLEGATIONS IN THE AMENDED COMPLAINT

In July 2005, computer hackers began hacking into TJX’s systems to access the personal and financial information of shoppers. TJX Compl. ¶ 49; Fifth Third Compl. ¶ 37. The stolen information was used to make fraudulent purchases. TJX Compl. ¶ 48; Fifth Third Compl. ¶ 36. TJX did not discover the security breaches until fourteen months later, in December 2006. TJX Compl. ¶ 43; Fifth Third Compl. ¶ 31.

At the heart of this case is a complex web of relationships between TJX and financial institutions. The plaintiffs are issuing banks that issued credit cards and debit cards to consumers, who used these cards to make purchases at TJX’s stores. When customers presented a credit or debit card during a sale, TJX sent the account information to its bank, Fifth Third, for verification. Fifth Third then transmitted the account information to the issuing banks, who would authorize the transaction, through credit card networks operated by Visa and MasterCard. TJX Compl. ¶¶ 53-59; Fifth Third Compl. ¶¶ 12-18.

Card Operating Regulations issued by Visa (‘Visa Operating Regulations”) and MasterCard (“MasterCard Operating Regulations”) mandate that retailers safeguard cardholder information. TJX Compl. ¶¶ 60, 64; Fifth Third Compl. ¶ 19, 23. Fifth Third has contracts with Visa and MasterCard that require Fifth Third to comply with these regulations. TJX Compl. ¶ 62; Fifth Third Compl. ¶ 21. TJX and Fifth Third have a contract that similarly requires TJX to comply with the Visa and MasterCard Operating Regulations. TJX Compl. ¶ 63; Fifth Third Compl. ¶22. TJX and Fifth Third allegedly failed to take necessary steps to safeguard consumer information, leading to the security breach and thereby violating the Operating Regulations. See TJX Compl. ¶ 1; Fifth Third Compl. ¶ 2.

Fifth Third submitted the MasterCard Operating Regulations (which are allegedly confidential) to the Court for in camera review with the consent of the issuing banks; this Court also received portions of the Visa Operating Regulations. In analyzing the contract claims, it is appropriate to consider these materials. See, e.g., Beddall v. State St. Bank & Trust. Co., 137 F.3d 12, 17 (1st Cir.1998). The parties must understand, however, that while the Court can well appreciate why MasterCard and Visa keep these regulations confidential in order to protect all parties (and consumers as well), this Court cannot base its public conclusions on data it keeps secret. See Richardson v. United States, 477 F.Supp.2d 392, 405 n. 18 (D.Mass.2007). Submission of such documentation, therefore, constitutes a waiver of confidentiality to the extent the Court relies on these materials.

IV. DISCUSSION

To survive the motion to dismiss, the issuing banks must set forth factual allegations which, if taken as true, provide “plausible grounds” from which to draw the reasonable inference of each fact essential to each element of a claim. Bell Atl. Corp. v. Twombly, — U.S. -, 127 S.Ct. 1955, 1965, 167 L.Ed.2d 929 (2007). The Supreme Court explained that “more than labels and conclusions” are required and that “a formulaic recitation of the elements of a cause of action will not do.” Id.

Although Bell Atlantic abrogated Conley v. Gibson, 355 U.S. 41, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957), Bell Atlantic approvingly noted the First Circuit’s recognition of Conley’s limitations in O’Brien v. DiGrazia, 544 F.2d 543, 546 n. 3 (1st Cir.1976). 127 S.Ct. at 1969. Indeed, despite Conley’s apparent authority to the contrary, the First Circuit has long “eschew[ed] any reliance on bald assertions,” Chongris v. Board of Appeals of Town of Andover, 811 F.2d 36, 37 (1st Cir.1987), cert. denied, 483 U.S. 1021, 107 S.Ct. 3266, 97 L.Ed.2d 765 (1987), and declined to credit allegations of a “general scenario which could be dominated by unpleaded facts.” Dewey v. University of New Hampshire, 694 F.2d 1, 3 (1st Cir.1982), cert. denied, 461 U.S. 944, 103 S.Ct. 2121, 77 L.Ed.2d 1301 (1983). In this fashion, the First Circuit has long “required more than conclusions” and “insisted on at least the allegation of a minimal factual setting.” Id. For these reasons, this Court does not read Bell Atlantic as materially altering the motion to dismiss standard in the First Circuit.

A. Contract Claims

The issuing banks allege that they are third-party beneficiaries of contracts between TJX and Fifth Third and between Fifth Third and credit card associations such as Visa and MasterCard. These contracts required TJX and Fifth Third to safeguard consumer data. TJX and Fifth Third have both moved to dismiss this claim.

The parties agree on the law but disagree on its application to this case. Massachusetts employs the standard set forth in the Restatement (Second) of Contracts § 302 to identify intended beneficiaries who have enforceable rights under contracts. 2 Rae v. Air-Speed, Inc., 386 Mass. 187, 195, 435 N.E.2d 628 (1982). Section 302 states:

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intent of the parties and ...

(b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.

The case law makes clear that, pursuant to the “unless otherwise agreed” language in section 302, a promisor and promisee may expressly disclaim the existence of intended third-party beneficiaries. When this is the case, no third parties have enforceable rights under the contract. See, e.g., Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F.Supp.2d 317, 324 (M.D.Pa.2005). The rationale is “contracting parties should be able to control who may sue on the contract.” Id. at 325.

Here, the parties dispute whether there are effective express disclaimers that would prevent the issuing banks from being considered intended beneficiaries. TJX and Fifth Third point to a provision in the Merchant Agreements, which reads:

This Agreement is for the benefit of, and may be enforced only by, Bank and Merchant and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by any third party.

Bryan R. Blais Decl. [Doc. No. 93] (“Blais Deck”), Ex. B, ¶ 17; see also G. Shaun Richardson Deck [Doc. No. 99] (“Richardson Deck”), Ex. A, ¶ 16 (containing identical wording).

The issuing banks respond that the Merchant Agreements incorporate the MasterCard and Visa Operating Regulations and provide that, in the event of conflict, the Operating Regulations prevail over the Merchant Agreements:

Merchant agrees to participate in Networks in compliance with, and subject to, the by-laws, operating regulations and/or other rules, policies and procedures of such organizations and subject to any rules which may be published by Bank and distributed to Merchant .... In the event of a conflict between the Operating Regulations and this Agreement, the Operating Regulations shall prevail.

Richardson Deck, Ex. A, at ¶ 1; see also Blais Deck, Ex. B., at ¶ 1 (“Merchant agrees to participate in VISA, MasterCard, and Other Associations in compliance with, and subject to, the by-laws, operating regulations and/or all other rules, policies and procedures of such organizations as in effect from time to time

The MasterCard Operating Regulations 3 include the following passage:

The basic purpose of the Corporation [MasterCard] is to provide to its members the advantages of widespread interchange while modifying each member’s local operations as little as possible. In keeping with this philosophy, the specifications as to forms and procedures contained in these rules are considered to be the minimum standards necessary to make credit and debit interchange workable.

These rules are intended to be solely for the benefit of the corporation and its members.

MasterCard Operating Regulations, at 1. The issuing banks allege that they are members and, as such, are intended beneficiaries of the MasterCard Operating Regulations. The issuing banks further note that the MasterCard Operating Regulations include an indemnity provision. MasterCard Operating Regulations § 1.1.

The MasterCard Operating Regulations state, however, that MasterCard “shall have the sole right to interpret and enforce” the MasterCard Operating Regulations. MasterCard Operating Regulations § 1.2. Although the MasterCard Operating Regulations include a forum selection clause, the MasterCard Operating Regulations state that this “provision shall in no way limit or otherwise impact” MasterCard’s sole right to interpret and enforce the MasterCard Operating Regulations. Id. § 1.4.

Consequently, while the issuing banks may be intended beneficiaries of the MasterCard Operating Regulations, the MasterCard Operating Regulations make clear that only MasterCard can enforce their terms and thus that the issuing banks have no right to file suit to achieve that end. As a result, the MasterCard Operating Regulations do not conflict with the provisions in the TJX and Fifth Third contracts denying third parties, such as the issuing banks, the ability to enforce the terms of the contracts.

The Visa Operating Regulations are similarly consistent with the Merchant Agreements. The Visa Operating Regulations may be designed to ensure the vitality of the Visa network and consequently benefit those who are members of that network. Like the MasterCard Operating Regulations, however, the Visa Operating Regulations fail to require that the issuing banks be allowed to assert third-party beneficiary claims. Indeed, the Visa Operating Regulations appear expressly to negate such a theory insofar as they “do not constitute a third-party beneficiary contract as to any entity or person ... or confer any rights, privileges, or claims of any kind as to any third parties.” Visa Operating Regulations, § 1.2C (emphasis added). Furthermore, the Middle District of Pennsylvania, which apparently is privy to a greater portion of the Visa Operating Regulations than this Court, indicated that, like MasterCard, Visa reserves the right to interpret the Operating Regulations and to determine when they have been violated. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 2006 WL 1722398, at *4, *5 (M.D.Pa.2006); see also id. at *7 (quoting Visa representative’s statement that the Operating Regulations were not intended to create “ ‘direct rights of enforcement between’ [members]”).

In sum, the issuing banks’ argument that the contracts between Fifth Third and Visa and MasterCard empower them to bring suit is undermined fatally by the fact that the Operating Regulations, which were incorporated into these contracts, themselves appear to deny third parties the ability to bring suit. The issuing banks’ assertion that the Operating Regulations conflict with the portions of the Merchant Agreements disclaiming the existence of intended beneficiaries is, for similar reasons, unavailing. Accordingly, this Court dismisses the contract claims.

B. Negligence

Under Massachusetts law, which the parties assume applies here, “purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage.” Aldrich v. ADD Inc., 437 Mass. 213, 222, 770 N.E.2d 447 (2002) (quotation marks and citations omitted). The rationale is partly that “a commercial user can protect himself by seeking express contractual assurances concerning the product (and thereby perhaps paying more for the product) or by obtaining insurance against losses.” Bay State-Spray & Provincetown S.S., Inc. v. Caterpillar Tractor Co., 404 Mass. 103, 109-110, 533 N.E.2d 1350 (1989).

In CUMIS Insurance Society, Inc. v. BJ’s Wholesale Club, Inc., No. 05-1158, slip op. at 8-9 (Mass.Super.Ct. Dec. 1, 2005) (Quinlan, J.), the Massachusetts Superior Court held that the Massachusetts formulation of the doctrine barred the negligence claims in that case. Furthermore, in cases from the Middle District of Pennsylvania, the judge held that the doctrine barred the negligence claims arising out of security breaches such as those present in the instant case. See, e.g., Pennsylvania State, 398 F.Supp.2d at 326-330 (applying Pennsylvania law that is identical to Massachusetts law).

The issuing banks cite Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 394 F.Supp.2d 283 (D.Me.2005), a retail security breach action that applied Maine law, which is more permissive of negligence claims than the Massachusetts standard. That case, however, expressed no opinion on whether negligence claims in a situation such as that in the instant case were in fact barred by the economic loss doctrine under Maine law. Id. at 287. A later case out of the Middle District of Pennsylvania, however,, applied Maine law to facts much like those here and held that, even under Maine law, the economic loss doctrine barred the negligence claims. Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 442 F.Supp.2d 206, 211-14 (M.D.Pa.2006). Whatever the proper application of Maine law, case law is unanimous in holding that the Massachusetts formulation of the economic loss doctrine applies to negligence actions such as the instant one.

The issuing banks fall back on the argument that the economic loss doctrine does not, in any event, bar their negligence claim because they have incurred damage to property in that the compromised cards could.no longer be used and that loss card verification codes were lost. The Middle District of Pennsylvania, however, has rejected this argument:

Plaintiffs ... argument is that the economic loss doctrine does not apply here because BJ’s did nonetheless cause property damage to the cards that had to be replaced. [The credit union] bases this argument on the fact that the cards are tangible property and that the loss of the use of these cards, “physical tangible items[,] constitutes property damage that obviates the economic loss doctrine.” We disagree. A plaintiff must show physical damage to property, not its tangible nature, to avoid the application of the economic loss doctrine. The damages sought here, the costs of replacing the cards, are economic losses.

Pennsylvania State, 398 F.Supp.2d at 330 (citation omitted). This Court adopts this reasoning and holds that the alleged “physical” destruction of the credit cards, debit cards, and security codes should instead be considered economic losses.

For these reasons, this Court grants the motions by TJX and Fifth Third to dismiss the negligence claims. 4

C. Negligent Misrepresentation

Under Massachusetts law, which the parties again assume applies here, the economic loss doctrine does not apply to negligent misrepresentation claims. Nota Constr. Corp. v. Keyes Assocs., 45 Mass.App.Ct. 15, 20, 694 N.E.2d 401 (1998); CUMIS Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc., No. 05-1158, slip op. at 7-8 n. 4 (Mass.Super.Ct. Dec. 1, 2005) (Quinlan, J.).

Massachusetts courts follow the Restatement of Torts (Second) section 552. As described in Nota Construction, the elements of negligent misrepresentation are:

In order to recover for negligent misrepresentation a plaintiff must prove that the defendant (1) in the course of his business, (2) supplies false information for the guidance of others (3) in their business transactions, (4) causing and resulting in pecuniary loss to those others (5) by their justifiable reliance upon the information, and (6) with failure to exercise reasonable care or competence in obtaining or communicating the information.

45 Mass.App.Ct. at 19-20, 694 N.E.2d 401. “A claim of negligent misrepresentation is ordinarily one for the jury, unless the undisputed facts are so clear as to permit only one conclusion.” Id. at 20, 694 N.E.2d 401.

TJX contends that there can be no negligent misrepresentation because there is no fiduciary relationship. For this proposition, TJX points to this Court’s holding in Berenson v. National Financial Services, LLC, 403 F.Supp.2d 133 (D.Mass.2005), that on the facts there presented, no negligent misrepresentation arose from a failure to disclose where no fiduciary relationship existed. Id. at 147. This Court did not, however, hold that a fiduciary relationship was a necessary condition for a successful negligent misrepresentation claim based on nondisclosure. On the contrary, the nondisclosure rule has not been restricted to the fiduciary context; as the First Circuit explained, nondisclosure can form the basis of a negligent misrepresentation claim whenever there is- a duty to disclose. First Marblehead Corp. v. House, 473 F.3d 1, 9-10 (1st Cir.2006); see also Berenson, 403 F.Supp.2d at 147 (providing a fiduciary relationship only as example of when required duty to disclose exists). Consequently, the issuing banks need not establish a fiduciary relationship with TJX or Fifth Third in order to prevail on a claim for negligent misrepresentation. 5

In this case, the negligent misrepresentation claim is based on implied representations that TJX and Fifth Third made to the issuing banks that they took the security measures required by industry practice to safeguard personal and financial information. Even if neither TJX nor Fifth Third had direct contact with the issuing banks, TJX and Fifth Third knew that the issuing banks were part of a financial network that relies on members taking appropriate security measures. See Nycal Corp. v. KPMG Peat Marwick LLP, 426 Mass. 491, 497-98, 688 N.E.2d 1368 (1998); Restatement (Second) of Torts § 552, cmts. g, h (1977). Whether the issuing banks’ reliance on the implied security assurances was justifiable is a factual issue inappropriate for resolution on a motion to dismiss. See First Marblehead, 473 F.3d at 11 (“Massachusetts courts have expressed a strong preference that reliance, in the context of negligent misrepresentation claims, be determined by a jury-”). Finally, this case is indistinguishable from CUMIS, in which the Superior Court denied a motion to dismiss a claim for negligent misrepresentation. Slip op. at 7-8. For these reasons, this Court denies the motions by TJX and Fifth Third to dismiss the negligent misrepresentation claims.

D. Chapter 93A

Finally, the issuing banks allege that TJX and Fifth Third have violated Massachusetts General Laws chapter 93A, section 11. TJX contends that it has an insufficient business relationship with the issuing banks to give rise to a chapter 93A violation. Fifth Third objects that Ameri-First has not adequately alleged wrongful acts in Massachusetts. Finally, TJX and Fifth Third contend that the chapter 93A claims must fail on the merits. These objections are addressed in turn.

1. Existence of a Significant Business Relationship

TJX alleges that it has an insufficient business relationship with the issuing banks to support a chapter 93A claim. Massachusetts courts have explained that “to survive the defendant’s motion to dismiss, the plaintiffs must show that the defendant had a commercial relationship with the plaintiffs or that the defendant’s actions interfered with trade or commerce.” First Enterprises, Ltd. v. Cooper, 425 Mass. 344, 347, 680 N.E.2d 1163 (1997) (internal quotation marks omitted); see also Standard Register Co. v. Bolton-Emerson, Inc., 38 Mass.App.Ct. 545, 551, 649 N.E.2d 791 (1995) (noting relationship must consist of something more than “a minor or insignificant business relationship.”).

TJX relies heavily on Mitzan v. Medview Servs., Inc., No. Civ.A. 98-01211, 1999 WL 33105613 (Mass.Super.Ct. Jun. 16, 1999)(Doerfer, J.). In that case, plaintiff chiropractors entered into an agreement with a preferred provider organization (“PPO”), agreeing to accept reduced billing rates. Id. at *1. The PPO shared the reduced billing rates with discount brokers who in turn shared the information with automobile insurers. The automobile insurers then refused to pay above the chiropractors’ reduced billing rates. Id. at *2-3. The chiropractors brought a chapter 93A claim against the discount brokers for sharing their billing rates with the auto insurers. Id. at *8. The court held that the relationship between the chiropractors and the discount brokers could not support a chapter 93A claim. Id. at *9.

Notably, the relationship between the parties in Mitzan was linear. The chiropractors contracted with the PPO, which in turn contracted with the discount brokers. Any contact between the chiropractors and the discount brokers was fortuitous. In this case, however, the relationship between the various parties is necessarily circular, from TJX to' Fifth Third to the issuing banks, and back. TJX and the issuing banks must communicate, through Fifth Third, with one another to determine whether the desired transactions between TJX and its customers ought proceed. Although TJX receives payments from Fifth Third, the payments are generally contingent on the issuing banks agreeing to pay Fifth Third for the transactions. These interactions between TJX and the issuing banks occurred tens of millions of times. Such a commercial relationship cannot be described as merely incidental. Accordingly, this Court holds that there is a sufficient business relationship between TJX and the issuing banks to support the issuing banks’ chapter 93A claim against TJX.

2. Center of Gravity of Unfair and Deceptive Trade Practices

Fifth Third tries a different tack in opposing the issuing banks’ chapter 93A claim. Fifth Third alleges that AmeriFirst has not adequately alleged wrongful acts in Massachusetts. Chapter 93A, section 11 requires that the unfair or deceptive trade practices have occurred “primarily and substantially within the [CJommon-wealth” of Massachusetts. The burden is on Fifth Third to prove that the alleged unfair or deceptive trade practices did not occur primarily or substantially within Massachusetts. Mass. Gen. Laws ch. 93A, § 11. The Supreme Judicial Court has explained that center of gravity determinations are best made “after making findings of fact [ ] and considering those findings in the context of the entire ... claim.” Kuwaiti Danish Computer Co. v. Digital Equip. Corp., 438 Mass. 459, 472-73, 781 N.E.2d 787 (2003).

In CUMIS, the Superior Court held, in the context of a motion to dismiss, that there was a sufficient relationship to Massachusetts with respect to Fifth Third because the retailer was based in Massachusetts and the plaintiff was engaged in trade or commerce in Massachusetts. Slip op. at 10. Although AmeriFirst, the-lead plaintiff in the action against Fifth Third, is an Alabama corporation, Fifth Third allegedly maintains offices in Massachusetts. Furthermore, this lawsuit revolves around security breaches occurring at TJX, a Massachusetts corporation. For these reasons, this Court holds that there is here alleged a relationship to Massachusetts sufficient to survive Fifth Third’s motion to dismiss.

3. Chapter 93A Merits

The issuing banks allege three independent grounds for finding a chapter 93A violation: (1) negligent misrepresentation; (2) violation of the Federal Trade Commission Act; and (3) violation of the Gramm-Leach-Bliley Act. Each of these grounds is addressed in turn.

a. Negligent Misrepresentation

Negligent misrepresentation may be so extreme or egregious as to constitute a chapter 93A violation. CUMIS, slip op. at 10 (quoting Marram v. Kobrick Offshore Fund, Ltd., 442 Mass. 43, 62, 809 N.E.2d 1017 (2004)). Since the issuing banks have stated a claim for negligent misrepresentation that may have occurred on a particularly broad scale, this Court denies the motions by TJX and Fifth Third to dismiss the issuing banks’ chapter 93A claims.

b. Violation of the Federal Trade Commission Act

The issuing banks observe that violations of the Federal Trade Commission Act constitute violations of chapter 93A. See Mass. Gen. Laws ch. 93A, § 2(b); 940 Mass.Code Regs. § 3.16(4); United Cos. Lending Corp. v. Sargeant, 20 F.Supp.2d 192, 200 (D.Mass.1998). The issuing banks then point to two consent orders entered by the Federal Trade Com mission stating that the failure of merchants to take reasonable steps, on behalf of consumers, to safeguard personal information constitutes a violation of the Federal Trade Commission Act. The Massachusetts Supreme Judicial Court has held, however, that consent orders do not constitute authoritative interpretations of federal law. Whitinsville Plaza, Inc. v. Kotseas, 378 Mass. 85, 101, 390 N.E.2d 243 (1979). Accordingly, the alleged violation of chapter 93A cannot be based on this theory.

c. Violation of the Gramm-Leach-Bliley Act

The issuing banks’ final ground for finding a chapter 93A claim is the Gramm-Leach-Bliley Act. The statute was enacted to protect the confidentiality of nonpublic personal information that customers disclose to financial institutions. See 15 U.S.C. § 6801(a). The statutory framework permits financial institutions to disclose financial information to nonaffiliat-ed third parties only in limited circumstances. Id. § 6802(a). Specifically, financial institutions are required to disclose to customers that the financial institutions may provide the information to third parties; generally, customers must be given the opportunity to direct that such disclosures not be made. Id. § 6802(b). Nonaf-filiated third parties who receive nonpublic personal information from a financial institution may not disclose the information except in limited circumstances. Id. § 6802(c).

The issuing banks contend that TJX is a nonaffiliated third party that is regulated by the Gramm-Leach-Bliley Act because it receives nonpublic personal information from the issuing banks. The issuing banks further allege that TJX receives this information from the magnetic strip on credit cards and debit cards when TJX swipes the cards given to them by customers. TJX responds that it is not the issuing banks but the customers who produce the information to TJX. In this view, TJX does not receive financial information directly from the issuing banks, and as such, is not a third party that is regulated by the Gramm-Leach-Bliley Act. 6

TJX has the better of the argument. As generally described, the Gramm-Leach-Bliley Act permits financial institutions to disclose nonpublic personal information to third parties only after informing customers that such disclosures may occur. This framework gives customers the power to direct who may see their nonpublie personal information. See New York State Bar Ass’n v. Federal Trade Comm’n, 276 F.Supp.2d 110, 112 (D.D.C.2003) (“Congress granted broad privacy protections to consumers, giving them the power to choose whether their personal information will be shared by financial institutions.”); id. at 122-24. This framework might apply if the issuing banks wished to disclose information to TJX independent of any action by customers.

Here, however, the customers were the ones who decided that the information ought be disclosed to TJX. They made that decision when they used credit cards and debit cards to make purchases at TJX stores. The issuing banks could not have kept the information from TJX once the customers decided to make such disclosures. For this reason, this Court holds that the Gramm-Leach-Bliley Act does not apply because TJX is not a third party that receives nonpublic personal financial information from the issuing banks. 7 Likewise, therefore, the alleged chapter 93A violation cannot be based on this theory.

V. CONCLUSION

For the reasons described in this memorandum, this Court grants the motions to dismiss the contract claims as well as the negligence and negligence per se claims. This Court denies the motions to dismiss the negligent misrepresentation claims and chapter 93A claims.

SO ORDERED.

1 . The lead plaintiffs in the Financial Track have had some difference in strategy. Although all of the lead plaintiffs have agreed to pursue claims against TJX, only AmeriFirst has pursued claims against Fifth Third. Since the two complaints assert essentially the same claims, based on the same facts, against both TJX and Fifth Third, this memorandum does not distinguish between the complaints except where relevant.

The lead plaintiffs in the action against TJX include bank associations. TJX challenged the standing of these associations in a footnote to its motion to dismiss. Although the associations lack standing to sue for damages on the behalf of individual banks, this Court rules that the associations have standing to seek declaratory and injunctive relief. See Warth v. Seldin, 422 U.S. 490, 515-16, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975); Pharmaceutical Care Mgmt. Ass’n v. Rowe, 429 F.3d 294, 306-07 (1st Cir.2005).

2 . Ohio, which is specified as the governing law in the contracts between Fifth Third and TJX, has also adopted section 302. Hill v. Sonitrol of Sw. Ohio, Inc., 36 Ohio St.3d 36, 521 N.E.2d 780, 784 (1988)

3 . The portions of the MasterCard Operating Regulations cited herein are found in the MasterCard International Bylaws and Rules.

4 . The issuing banks further allege a claim against Fifth Third for negligence per se. Massachusetts does not, however, recognize such a claim. See Berish v. Bornstein, 437 Mass. 252, 273, 770 N.E.2d 961 (2002). Consequently, this Court must dismiss that claim.

5 . The issuing banks must nevertheless still establish that TJX and Fifth Third had a duty to disclose that it was taking deficient security measures. Since no party addressed this issue in the motions to dismiss, this Court will not address that issue at this time.

6 . Fifth Third did not move to dismiss Ameri-First’s chapter 93A claim to the extent that it is based on the Gramm-Leach-Bliley Act. See Fifth Third Compl. ¶ 98. Consequently, this Court expresses no opinion on the merits of this claim with respect to Fifth Third.

7 . Consequently, this Court has no need to determine whether permitting recovery under chapter 93A is "compatible with the objectives and enforcement mechanisms” of the Gramm-Leach-Bliley Act. See Whitehall Co. Ltd. v. Merrimack Valley Distrib. Co., 56 Mass. App.Ct. 853, 858, 780 N.E.2d 479 (2002).