Judge Dismisses Most Complaints in Heartland Data Breach Suit

A U.S. District Court judge dismissed most of the complaints brought by a number of financial institutions against Heartland Payment Systems Inc. regarding its January 2009 data breach, though the possibility remains for the institutions to file amended complaints.

The breach was one of the largest ever recorded, with some 130 million credit and debit card accounts, including thousands issued by credit unions, having been compromised as a result of months of criminal hacking in 2008. At least 178 credit unions were among the nearly 600 financial institutions that then had to reissue cards.

The complaints represented a consolidation of suits brought by three credit unions (GECU in El Paso, Texas; MidFlorida Federal Credit Union in Lakeland, Fla.; and Matadors Community Credit Union in Chatsworth, Calif.) and two banks (Amalgamated Bank of New York, N.Y., and Farmers State Bank of Marcus, Iowa) that had declined to take part in previous settlements reached when Visa and MasterCard and Discover sued Heartland on behalf of their clients. Consumer lawsuits were consolidated separately.

U.S. District Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas dismissed nine of the 10 complaints against Heartland, ruling in favor of the plaintiffs only on a claim brought under the Florida Deceptive and Unfair Trade Practices Act.

In her 62-page decision, Rosenthal indicated that she ruled against the plaintiffs because the financial institutions were not specifically protected as “third-party beneficiaries” in contracts between Heartland and its two acquiring banks, Heartland Bank and KeyBank, and in contracts between Heartland and the major card brands. She also ruled that the institutions were not consumers and therefore could not make any claims of misrepresentation or negligence under consumer protection laws.

At the time the breach was announced, estimates indicated that Washington credit unions would spend more than $2 million in response. Exact figures are difficult to determine because of reporting constraints and because the breach went unreported for so long.

Northwest Credit Union Association (NWCUA) Senior Vice President and General Counsel Stacy Augustine indicated that the result of the suit may have been different had it been filed under legislation related to security breaches that  was passed in 2010 by the Association’s legislative affairs team. HB 1149 allows a financial institution to recoup costs associated with a data breach from a negligent merchant.

“This suit was filed before Washington enacted its data breach reimbursement law,” Augustine said. “It will be interesting to see if institutions are able to find satisfaction in such cases in the future given the new legislation.”

The financial institutions involved in the case now have until Dec. 23, 2011, to amend their master complaint.


Questions or Concerns? Contact Matt Halvorson, Anthem Editor: mhalvorson@nwcua.org.

Posted in Compliance News.