Heartland Breach: Claims DismissedCourt Denies Compensation to Institutions
The Heartland breach, announced in January 2009, was the first card processor breach to attract international attention. A multiparty complaint against Heartland ultimately resulted, after the Judicial Panel on Multidistrict Litigation consolidated individual suits filed by consumers and U.S. banking institutions seeking financial compensation for losses suffered as a result of systems breach.
But earlier this month, after more than two years of litigation, District Judge Lee Rosenthal dismissed the majority of those claims, saying the plaintiffs failed "to state a claim upon which relief can be granted."
One exception, however, was noted in Rosenthal's ruling. A violation of the Florida Deceptive and Unfair Trade Practices Act claimed in one of the banking institution suits may be amended. Rosenthal found that the banks' and credit unions' claim could be heard if amended to include more than one state's law and inclusion of more specific details about alleged contractual violations.
Heartland argued the claim must be dismissed "because only consumers, as the word is traditionally used, may assert claims under the FDUTPA."
If amended, the institutions have until Dec. 23 to file their revised complaint. A status conference has already been set for Jan. 13.
Gonzalez' crimes cost companies, banks and insurers nearly $200 million, according to the Department of Justice. Thousands of financial institutions reported losses associated with the Heartland breach, including M&T Bank, Citi and HSBC. Heartland later settled with major card brands, including Visa, for $60 million, Discover, for $5 million, and MasterCard, for $41.4 million. But litigation stemming from losses suffered by card issuers lingered.
Plaintiffs' suits against Heartland claimed the data breach resulted from Heartland's failure to follow the PCI Data Security Standard.
Jeffrey Roman contributed to this article.