Heartland Update: Class Action Suit Filed

Processor Charged with 'Belated and Inaccurate statements' about Breach
Heartland Update: Class Action Suit Filed
Exactly one week after the Heartland Payment Systems (HPY) breach was first announced to the public, the first lawsuit has been filed against the payments processor. Heartland Payment Systems data breach coverage

The class action lawsuit filed Tuesday by Chimicles & Tilellis LLP of Haverford, PA in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserts that Heartland "made unreasonably belated and inaccurate statements concerning the breach."

The complaint says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach. Chimicles & Tilellis' complaint also says in addition to the questionable timing of the announcement of its breach, (Read Heartland Class Action suit PDF) "there are materially misleading statements and omissions in Heartland's public description of the breach and its consequences."

Heartland announced the breach in a press release on the same morning of President Barack Obama's inauguration.

The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at Heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach.

Heartland is the fifth largest payment processor in the country and handles 100 million transactions per month for more than 250,000 small retailers, gas stations, restaurants and other small and midsized companies.

The suit also states that Heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that Heartland did not detect the breach on its own suggests that it had not implemented (or was not using) all of the security controls called for by the Payment Card Industry Data Security Standard ("PCI"), a set of security controls mandated by the major credit card companies," the suit asserts.

If the TJX breach is any measure, then other lawsuits against Heartland can be expected to be filed. In the TJX case, the mega retailer was hit with a class action lawsuit filed by banking associations and financial institutions after institutions had to spend millions to cover the cost of customers' card replacements as well as deal with the negative publicity surrounding the breach. More than eight financial institutions have already said publicly that they have been informed by VISA and MasterCard that their customers' credit and debit cards were compromised as a result of the Heartland breach.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network