Heartland Update: Class Action Suit Filed
Processor Charged with 'Belated and Inaccurate statements' about BreachThe class action lawsuit filed Tuesday by Chimicles & Tilellis LLP of Haverford, PA in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserts that Heartland "made unreasonably belated and inaccurate statements concerning the breach."
The complaint says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach. Chimicles & Tilellis' complaint also says in addition to the questionable timing of the announcement of its breach, (Read Heartland Class Action suit PDF) "there are materially misleading statements and omissions in Heartland's public description of the breach and its consequences."
Heartland announced the breach in a press release on the same morning of President Barack Obama's inauguration.
The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at Heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach.
Heartland is the fifth largest payment processor in the country and handles 100 million transactions per month for more than 250,000 small retailers, gas stations, restaurants and other small and midsized companies.
The suit also states that Heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that Heartland did not detect the breach on its own suggests that it had not implemented (or was not using) all of the security controls called for by the Payment Card Industry Data Security Standard ("PCI"), a set of security controls mandated by the major credit card companies," the suit asserts.
If the TJX breach is any measure, then other lawsuits against Heartland can be expected to be filed. In the TJX case, the mega retailer was hit with a class action lawsuit filed by banking associations and financial institutions after institutions had to spend millions to cover the cost of customers' card replacements as well as deal with the negative publicity surrounding the breach. More than eight financial institutions have already said publicly that they have been informed by VISA and MasterCard that their customers' credit and debit cards were compromised as a result of the Heartland breach.