A lingering lawsuit against Heartland Payment Systems and two acquiring banks, KeyBank and Heartland Bank, appears to have been put to rest.
On March 14, a federal judge in Houston dismissed, for a second time, a suit filed by a group of financial institutions against Heartland and its acquirers for breach of contract, breach of fiduciary duty and negligence, based on the banks' "alleged failure to monitor Heartland's computer-system security." The suit was one of several filed against Heartland in 2009 after a data breach, which went undetected for more than a year, gave cyberhackers access to 130 million payment card accounts.
As the Heartland breach saga unfolded, it was eventually linked to card compromises impacting thousands of banking institutions. Many of those institutions absorbed the losses; others sought legal action.
The opinion, handed down by Judge Lee H. Rosenthal, of the U.S. District Court for the Southern District of Texas, says the plaintiffs' amended complaint "fails to plead that the Visa and MasterCard networks created a joint venture among the issuers and acquirers, which include the [plaintiffs] and KeyBank."
IT security and privacy lawyer David Navetta says the court's ruling is not a surprise. "I think it's pretty much been a pattern," he says. "Issuing banks don't have a direct remedy to recover the amounts that they lost."
Issuing institutions do get a percentage of what payment card companies such as Visa and MasterCard recover in fines levied after a breach. Navetta says decisions passed down from the court reflect the acknowledgment that the compensation provided by Visa and MasterCard is sufficient.
"Looking at the case law - you would have expected more lawsuits in Heartland, if they thought they could win," he says. "Most issuing banks, unless they've lost a ton of money, are not excited to file lawsuits."
In the case of this multi-institution suit, KeyBank moved to dismiss the complaint, and the court granted the motion. According to Rosenthal, the institutions that filed the suit - Lone Star National Bank, Sea Board Federal Credit Union, O Bee Credit Union, PBC Credit Union and Pennsylvania State Employees Credit Union - failed to amend deficiencies in their pleading from an earlier complaint.
In an earlier decision, the judge had ruled that the five financial institutions involved in the lawsuit were not protected as "third-party beneficiaries" in contracts between Heartland and the acquiring banks, KeyBank and Heartland Bank.
KeyBank contracted with Heartland to process Visa and MasterCard payment-card transactions sent by participating merchants. The plaintiffs in the case alleged that KeyBank breached its duties under that contract and that they are third-party beneficiaries. They also alleged that KeyBank breached "its fiduciary duty as a member of the Visa and MasterCard networks," which the plaintiffs characterize as joint ventures.
Other claims were that KeyBank acted negligently by failing to ensure that Heartland complied with the Payment Card Industry Data Security Standard, and that KeyBank is vicariously liable for Heartland's negligence.
The timing of the ruling is interesting, given the newly-revealed Global Payments Inc. breach. Similarities between the Global breach and the Heartland breach are striking in some areas. [See A Tale of Two Breaches.]
But Steve Elefant, the former chief information officer at Heartland who now serves on the counsel team at The Strawhecker Group, says the legal precedents set by suits filed in the Heartland case will likely discourage banks and credit unions from filing similar claims against Global.
"We had lawsuits from everyone from issuers to shareholders to cardholders," Elefant says. "Many of those were frivolous, because the brands protect the issuers, and cardholders are not really affected at all beyond having to use a new card."
This final case, brought against the processor by five issuing banks, is nothing special, Elefant adds. "The only thing about it that stands out is that it dragged out for a while, but that's about it," he says.