In an age where data breach has become commonplace, Heartland Payment Systems endured what is probably the largest data breach to date, with credit card information concerning 130 million people stolen. The data breach precipitated a severe decline in Heartland's stock price, in turn precipitating a shareholder derivative suit. While the court dismissed the shareholders' complaint, the carefully nuanced decision demonstrates that data breach can present a significant exposure for officers and directors. See Judge Anne Thompson's opinion dismissing plaintiffs' complaint. In re Heartland Payment Systems, Inc. Securities Litigation (Civ No. 09- 1043, United State District Court, District of New Jersey, December 7, 2009).
Heartland acted as a middleman between stores accepting credit cards and the financial institutions that issued them. In December 2007, a gang of cyber-thieves launched a "Structured Query Language" ("SQL") attack on the payroll manager application of Heartland's computer system. This application only contained information on Heartland's own employees, and Heartland was able successfully to cope with this attack. However, unknown to Heartland, the attack also placed malware on the computer system that infected the payment processing system, resulting in the loss of personal information on 130 million credit and debit card owners. Heartland did not discover this breach until early 2009, and publicly disclosed it on January 20. Heartland's stock fell by a total of 80%, resulting in a suit by shareholders who purchased stock in 2008. Those shareholders pointed to specific statements by Heartland in 2008 on the status of its data breach protection to support their claim. While the court dismissed the complaint because it failed to meet the pleading requirements of the Private Securities Litigation Reform Act of 1995, 15 U.S.C. § 78u-4(b), its discussion of the statements at issue indicates how easily a company dependent on technology can fall prey to such claims.
The plaintiffs asserted two related bases for fraud. First, in an Earnings Conference call in 2008 in which data security was discussed, the company did not divulge the SQL attack. The plaintiffs argued that the non-disclosure was fraudulent. The court, parsing these statements very carefully, found that "careful attention to context demonstrates that Defendants' statements and omissions on [the] conference call are not fraudulent." For example, narrowly construing the questions and answers during the call, the court basically found that since the SQL did not result in a loss of customer information, the defendants did not need to reveal it. The court found that if analysts had asked on the call, "Did you suffer a security lapse in fourth quarter 2007," defendants' answer would have been untruthful. However, the analysts had asked whether a specific security incident had caused a large IT expenditure, when in fact that expenditure pre-dated the SQL attack.
Second, in its annual report and during another conference call, the company made statements about its emphasis on data security. The plaintiffs argued that these statements were fraudulent because of the failure to disclose the SQL attack. The court found no conflict between the company's statements concerning its emphasis on security and the fact of an undisclosed data breach.
Data breach already constitutes a major exposure to companies due to government regulation and private suits for damages. Derivative suits can now be added to that list of horribles.
Although the Heartland Payment Systems matter involved a very large amount of data and a significant decline in stock price, such claims are possible whenever a data breach depresses the stock price.
Companies should be aware that insurance coverage may exist for data breach exposure. D&O policies should provide coverage for this risk, unless they are endorsed to exclude data breach claims. Commercial general liability policies, in their 'personal and advertising coverage' section, provide limited privacy coverage. Moreover, a new market has developed for specialty privacy and data breach insurance policies. Language differs from policy to policy, so consult your risk manager or other insurance professional when purchasing or renewing your coverage.