Heartland, Visa Announce $60 Million Settlement

Funds Would Reimburse Card Issuers for Breach-Related Losses
Heartland, Visa Announce $60 Million Settlement
Heartland Payment Systems announced today that it will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach. It is the largest known settlement amount ever paid to Visa as a result of a breach, eclipsing the TJX settlement of $40.9 million in November 2007.

In a statement, Heartland and Visa say the $60 million payment will be subject to certain conditions, including a specified level of participation by Visa issuers. Visa says it will provide issuers details in the coming days. The data breach involved an estimated 130 million credit and debit cards, although not all of them were Visa branded. This settlement with Visa is far larger than Heartland's $3.6 million settlement with American Express, which was announced in December.

Visa executives say they believe issuers will benefit by participating in this settlement program "because it offers an immediate recovery with respect to losses they may have incurred from the Heartland intrusion," according to Visa's chief enterprise risk officer, Ellen Richey. "Helping financial institutions mitigate costs after a data security breach has been a long-standing component of Visa's security strategy, along with promoting new security technologies, preventing fraud and leading efforts to secure sensitive data across the entire payment system."

The Visa/Heartland settlement agreement, according to the announcement, "is contingent upon acceptance by financial institutions representing 80 percent of the eligible issuers' U.S. accounts that Visa considered to have been placed at risk of compromise during the Heartland intrusion."

The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand, and Visa on the other. Heartland will fund up to $59.22 million of the amounts to be made available to Visa and its issuers under the settlement program. Additionally, Visa will credit the full amount of intrusion-related fines it previously imposed and collected from Heartland's sponsoring bank acquirers toward the $60 million maximum funding of the program. The settlement amount represents a significant recovery to Visa issuers for losses they may have suffered from the Heartland data security breach.

All U.S. card issuers who participate in the program will be eligible to receive a portion of the specified recovery. The settlement also includes recovery for international issuers of accounts Visa considered to have been placed at risk of compromise.

The announcement says taking part in the settlement program supplants any other recoveries that may be available to issuers through Visa and requires accepting issuers to release Heartland, its sponsoring bank acquirers and Visa from any legal and financial liability related to the Heartland intrusion.

Visa will be notifying eligible issuers in the coming days with details about the program and how to participate, and Visa will send eligible issuers their formal offers to participate in the program on January 14, 2010. To facilitate payment, eligible issuers will have until January 29, 2010 to opt-in to the program before the offer expires.

Settlement Good for Heartland
Industry analyst Avivah Litan of Gartner sees the $60 million settlement as a good deal for Heartland. "This seems like a very fair settlement, and it seems like Heartland escaped the tremendous costs that TJX incurred - $139 million plus - despite the fact that Heartland's breach was more extensive," Litan says.

Litan believes the settlement was directly due to the "collegial spirit" and tone that Bob Carr, President of Heartland, took from the outset of the breach. "He was reasonable and worked as productively as he could with Visa and the banks. This worked well for him and others, as it avoided the much higher costs that Heartland would have incurred from endless litigation."

The nature of the settlement also reflects the "maturity" of this market, Litan notes. "Visa and its member banks have much more experience with breaches now than they did when the TJX breach hit," she observes. They know how to settle these matters more amicably. A $60 million settlement seems reasonable, she says.

"In the end, the crooks made off with over $50 million dollars, which is still a staggering amount of money that was made from just a couple of clever computer programs," Litan says.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network