Heartland's Acquiring Banks Sued

Institutions Act in Response to Proposed Visa Settlement
Heartland's Acquiring Banks Sued
Five financial institutions have filed a class action suit alleging that two acquiring banks, Heartland Bank and Key Bank, should be included as defendants and share responsibility for damages caused by the Heartland Payment Systems data breach.

Lone Star National Bank, PBC Credit Union, O Bee Credit Union, Seaboard Federal Credit Union and Pennsylvania State Employees Credit Union filed the class action complaint in the U.S. Southern District Court in Houston, TX on Tuesday. Heartland Bank is based in St. Louis, MO, and Key Bank is based in Cleveland, OH.

The case was brought after a proposed $60 million Visa/Heartland data breach settlement, which would result in banks and credit unions accepting the offer receiving only "pennies on the dollar," according to one of the lawyers representing the financial institutions.

Visa estimates the losses because of the breach total $140 million, according to its Account Data Compromise Recovery (ACDR) formula, says Richard Coffman, co-lead counsel for the financial institutions in the class action suit. "That number is mythical and has nothing to do with reality," Coffman says, suggesting that the real losses aren't known by Visa. Coffman advises that affected institutions should review carefully the proposed settlement between Heartland and Visa. He says the proposed settlement has several weak points; namely it:

Offers little money to the banks affected in the breach;
Gives them little time to decide whether to take part in the settlement;
Releases Heartland and other parties that may be liable.

"[The settlement] is being touted for reasons that are not entirely accurate," Coffman says. The amount of money being offered to the affected institutions is "pennies on the dollar," says Mike Caddell, the class action suit's co-lead counsel. The notice of settlement was made on Jan. 14, and gave those institutions only 15 days to decide whether to participate. "There were over 86 million Visa cards compromised by the data breach," says Caddell. Once an institution factors in the cost of cancelling and reissuing the credit card and the unauthorized charges it had to eat, an institution's share of the settlement will not amount to much, Caddell explains. One institution that is suing Heartland has already spent more than $1 million in fraud reimbursement and card replacement. The potential list of institutions affected by the breach may number in the thousands.

What led to the filing of the complaint against the acquiring banks was that "other potentially liable parties are released by contributing little, if anything, to the settlement," says Coffman. He says the most egregious aspect of the proposed settlement is that Heartland's acquiring banks, KeyBank and Heartland Bank, which also are potentially liable for the data breach damages, will receive a complete release of any liability even though they are contributing little, if anything, to the settlement. "The majority of the settlement funds are provided by Heartland, which is downplaying its ability to pay any more money," Coffman says. "Yet, KeyBank has $97 billion of assets and Heartland Bank has over $1 billion of assets, which suggests that there are additional sources of money to compensate the issuers for their damages. "If I were an executive of a financial institution harmed by the Heartland data breach," he says, "I would seriously question whether Visa truly has the best interests of its network members at heart," he adds.

Heartland's Offer: Not Like TJX Settlement

The settlement's selling points are not quite accurate, adds Joe Sauder, a lawyer at Chimicles & Tikellis, one of the firms involved in the Heartland class action suits. "In the informational webinars conducted by Visa, the issuers were told that this settlement is similar to the one in the TJX data breach case where approximately 97 percent of the financial institutions elected to participate."

Visa and Heartland omitted some important information, he says. The Visa settlement in TJX occurred much later in the litigation process. "The court had issued opinions denying the issuers' motion for class certification and narrowing their legal claims, which meant, as a practical matter, there was no viable alternative for the issuers but to accept the settlement or file individual lawsuits," Sauder explains.

In the Heartland case, it is early in the litigation process. "There has been no formal discovery. There also are other important factual differences between TJX and the Heartland case.

"Every institution out there has to do its own analysis to know what their damages are," says Coffman.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network