More Litigation Tied to Heartland BreachCard Issuers Appeal, Argue Processor Was Negligent
Seven card-issuing institutions seeking recovery of financial losses they suffered after the 2008 breach of processor Heartland Payment Systems Inc. have taken their case to a federal appellate court.
These banking institutions are appealing a federal court's dismissal of their negligence claims under New Jersey law against Heartland, arguing that the processor did not take reasonable security measures to avoid the risk of a "foreseeable intrusion" into its network that resulted in the theft of an estimated 130 million U.S. payment cards in 2008.
The card issuers have asked the Fifth Circuit federal appellate court to reverse the lower court's decision. That decision favored Heartland's claim that the institutions had a contractual relationship with Heartland and should therefore be satisfied with the financial settlements Heartland reached with card brands Visa, MasterCard and American Express.
Lone Star National Bank, Amalgamated Bank, First Bankers Trust Co., Pennsylvania State Employees Credit Union, Elevations Credit Union, O Bee Credit Union and Seaboard Federal Credit Union argue that the losses they suffered from the 2008 breach were far greater than what the settlement payouts offered. Heartland settled in 2010 with Visa for $60 million and with MasterCard for $41.4 million. In 2009, the processor also settled with American Express for $3.6 million.
Those settlements, which included recovery offers for eligible issuers, were meant to resolve the breach claims against Heartland for the card brands and their issuers. At the time of the settlements, card brands such as MasterCard recommended issuers accept the offer.
"We feel that this settlement represents an appropriate and fair resolution for our issuing financial institution customers and will enable them to avoid uncertainties and delays associated with potentially protracted litigation," said Wendy Murdock, chief franchise officer for MasterCard Worldwide in the press announcement from May 2010.
But issuing institutions argued Heartland had no contractual relationship with them or the card brands, and now these seven issuers have asked the Fifth Circuit appellate court to uphold their right to appeal their claims of negligence against the processor.
Just More Litigation?
David Navetta, co-founder of the Information Law Group, predicts the appeal is not likely to have a significant impact.
"It does not mean much except that the plaintiffs feel their claims still have merit," he says. "Even if the lower court's decision is reversed, the matter would still have to be litigated in the lower court and could be dismissed on other grounds - or it could go to trial eventually."
Ultimately, it's just another claim filed in what has already become a lengthy and costly legal dispute involving issuers, acquirers, the card brands and consumers, Navetta says.
"There is a lot more litigating to do, and it could go on for a very long time," he says. "That said, if the Fifth Circuit affirms the lower court's decision, that could be the end of the case, unless the plaintiffs appeal to the U.S. Supreme Court."
Heartland claims the settlement with the card brands should satisfy the issuing banks and credit unions affected by its breach.
The processor filed its own brief on Jan. 22, arguing that its settlement with the card brands also contractually bound issuers to the settlement.
Heartland says the card brands' operating regulations, which the issuers filing this appeal signed with Visa and MasterCard, includes the recovery of losses that result from third-party security failures, such as breaches.
But in their appeal, the issuing institutions claim Heartland had a duty to take stronger measures to avoid a network intrusion. The institutions further argue that, because Heartland is based in Princeton, N.J., they have a right under the New Jersey economic loss rule to file a negligence claim against the processor.
Albert Gonzalez, the mastermind behind the Heartland Payment Systems breach and the breaches that affected TJX, Office Max and restaurant chain Dave & Busters, was sentenced in March 2010 to two consecutive 20-year terms after pleading guilty.