Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

To read more, see the complete story on wired.com.

In one of the largest FTC-state coordinated settlements on record, LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services. LifeLock and its principals will also be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service. The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

To read more about this settlement, view the FTC’s press release here. The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and here.

On December 11, 2009, the Massachusetts SJC affirmed the dismissal of claims against BJ’s and Fifth Third Bank by plaintiff credit unions and an insurance company arising out of a data breach that exposed magnetic strip data of credit and debit cards of 9.2 million BJ’s customers.

In Cumis Insurance Society, Inc., et al. v. BJ’s Wholesale Club, Inc., et al., 107 credit unions and Cumis Insurance Society brought suit against BJ’s and Fifth Third alleging that thieves were able to obtain the card information from BJ’s computer systems because BJ’s and its acquiring bank, Fifth Third, breached their contractual obligations, both to each other and to Visa and MasterCard, by storing the magnetic strip data from the back of the cards after a card transaction had been authorized or declined. The plaintiff credit unions sought damages incurred for the cost of replacing the compromised cards. Cumis sought to recover the funds paid to the credit unions to reimburse them for the fraudulent use of the cards.

The credit unions asserted claims for breach of contract on the theory that they were intended third-party beneficiaries of BJ’s contract with Fifth Third Bank and of the Visa and MasterCard regulations that were incorporated into the contract, which specifically included a prohibition on retaining magnetic strip data after a cardholder’s transaction is completed. The SJC affirmed the dismissal of the breach of contract claims finding that plaintiffs failed to establish that there was any intention by BJ’s or Fifth Third that the credit unions were supposed to be the beneficiaries of their contract. In addition, the credit unions could not recover under Visa and MasterCard regulations (specifically, prohibiting the storage of magnetic strip data) because Visa and MasterCard retained the enforcement of their regulations for themselves.

The SJC also affirmed the dismissal of plaintiffs negligence claims on the grounds of the economic loss doctrine, which prohibits recovery under a negligence theory when the only harm sustained is economic in nature.

Finally, the SJC affirmed the dismissal of plaintiff’s fraud and negligent misrepresentation claims. Plaintiffs theory was that they relied on BJ’s required compliance with the Visa and MasterCard regulations to not store the magnetic strip data. The SJC found that plaintiffs could not show BJ’s ever made any direct representations to the plaintiffs regarding its compliance with the Visa and MasterCard regulations that would support these claims.

The discussion of the fraud and negligent misrepresentation claims in this case are the most interesting aspect of the decision. The SJC found that even if plaintiffs could establish that defendants made representations about their compliance with the Visa/MasterCard regulations to the plaintiffs, the plaintiffs could not have reasonably relied on those representations because the Visa/MasterCard regs explicitly include a fine for failing to comply. Quite simply, the system was designed with the expectation that such data breaches would occur. In addition, the SJC noted that the plaintiffs even insured themselves against such fraudulent losses, showing that plaintiffs expected such a data breach to occur. Finally, the SJC noted that the plaintiffs had ongoing knowledge of noncompliance with the magnetic strip regulation because they received notifications from Visa and MasterCard regarding compromised accounts due to improper retention of magnetic strip data.

Ultimately, there was no theory under which the credit unions could recoup their losses stemming from the data breach.

The United States Court of Appeals for the Third Circuit has issued a ruling in Sovereign Bank v. Fifth Third Bank and BJ’s Wholesale Club, Inc., exploring the relative responsibilities and obligations of banks involved in credit card security breaches. It addresses the complex relationships between the credit card company (here, Visa), the banks who issued the credit cards (“Issuers,” such as party Sovereign Bank), the retailers who accept the credit cards (“Merchants,” such as BJ’s) and the banks who work with the Merchants to process credit card transactions (“Acquirers,” such as party Fifth Third Bank). The relationships are governed in part by Visa’s Operating Regulations, which set out standards regarding the use and retention of credit card information.

Generally, losses resulting from fraudulent credit card charges are the responsibility of the Issuing Bank, but that liability can shift to the Acquirer if it resulted from the Acquirer’s violation of Operating Regulations. Sovereign, an Issuer, claimed that happened because Fifth Third’s merchant, BJ’s, failed to destroy information gleaned from customers’ swiped credit cards after it had been used.

The decision explored in depth whether the contractual relationship between Visa and Fifth Third was intended to benefit Issuing Banks such as Sovereign, giving them a right to sue. The Third Circuit, overturning the lower court, concluded that Sovereign could at least make the argument. It also held, however, that Sovereign could not sue BJ’s for negligence, since the losses were purely economic and there was no “third party beneficiary” argument it could construct to reach the retailer.

The matter has been sent back to the lower court for further proceedings. The decision may be found here: