Heartland's Acquiring Banks Sued

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Five financial institutions have filed a class action suit alleging that two acquiring banks, Heartland Bank and Key Bank, should be included as defendants and share responsibility for damages caused by the Heartland Payment Systems data breach.

Lone Star National Bank, PBC Credit Union, O Bee Credit Union, Seaboard Federal Credit Union and Pennsylvania State Employees Credit Union filed the class action complaint in the U.S. Southern District Court in Houston, TX on Tuesday. Heartland Bank is based in St. Louis, MO, and Key Bank is based in Cleveland, OH.

The case was brought after a proposed $60 million Visa/Heartland data breach settlement, which would result in banks and credit unions accepting the offer receiving only "pennies on the dollar," according to one of the lawyers representing the financial institutions.

Visa estimates the losses because of the breach total $140 million, according to its Account Data Compromise Recovery (ACDR) formula, says Richard Coffman, co-lead counsel for the financial institutions in the class action suit. "That number is mythical and has nothing to do with reality," Coffman says, suggesting that the real losses aren't known by Visa. Coffman advises that affected institutions should review carefully the proposed settlement between Heartland and Visa. He says the proposed settlement has several weak points; namely it:

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"[The settlement] is being touted for reasons that are not entirely accurate," Coffman says. The amount of money being offered to the affected institutions is "pennies on the dollar," says Mike Caddell, the class action suit's co-lead counsel. The notice of settlement was made on Jan. 14, and gave those institutions only 15 days to decide whether to participate. "There were over 86 million Visa cards compromised by the data breach," says Caddell. Once an institution factors in the cost of cancelling and reissuing the credit card and the unauthorized charges it had to eat, an institution's share of the settlement will not amount to much, Caddell explains. One institution that is suing Heartland has already spent more than $1 million in fraud reimbursement and card replacement. The potential list of institutions affected by the breach may number in the thousands.

What led to the filing of the complaint against the acquiring banks was that "other potentially liable parties are released by contributing little, if anything, to the settlement," says Coffman. He says the most egregious aspect of the proposed settlement is that Heartland's acquiring banks, KeyBank and Heartland Bank, which also are potentially liable for the data breach damages, will receive a complete release of any liability even though they are contributing little, if anything, to the settlement. "The majority of the settlement funds are provided by Heartland, which is downplaying its ability to pay any more money," Coffman says. "Yet, KeyBank has $97 billion of assets and Heartland Bank has over $1 billion of assets, which suggests that there are additional sources of money to compensate the issuers for their damages. "If I were an executive of a financial institution harmed by the Heartland data breach," he says, "I would seriously question whether Visa truly has the best interests of its network members at heart," he adds. Heartland's Offer: Not Like TJX Settlement

The settlement's selling points are not quite accurate, adds Joe Sauder, a lawyer at Chimicles & Tikellis, one of the firms involved in the Heartland class action suits. "In the informational webinars conducted by Visa, the issuers were told that this settlement is similar to the one in the TJX data breach case where approximately 97 percent of the financial institutions elected to participate."

Visa and Heartland omitted some important information, he says. The Visa settlement in TJX occurred much later in the litigation process. "The court had issued opinions denying the issuers' motion for class certification and narrowing their legal claims, which meant, as a practical matter, there was no viable alternative for the issuers but to accept the settlement or file individual lawsuits," Sauder explains.

In the Heartland case, it is early in the litigation process. "There has been no formal discovery. There also are other important factual differences between TJX and the Heartland case.

"Every institution out there has to do its own analysis to know what their damages are," says Coffman.