When Heartland Payment Systems, Inc. ("Heartland"), one of the nation's largest payment processors, suffered a severe criminal data breach in December 2007, it was no surprise that private litigation in the form of class actions brought by investors, consumers and financial institutions ensued.
Since then, however, Heartland has been aggressive and creative in its efforts to resolve these matters. As the Heartland cases have unfolded, the company has provided insight and instruction on how to identify and manage the risks and potential liabilities associated with data breaches.
The Heartland Story
After Heartland was hacked, it discovered that the breach was not just confined to its payroll system, as originally understood, but that it also involved the installation of malicious software (malware) that compromised the safety of its payment processing system, which was responsible for storing credit and debit card data. Heartland reports that it learned of this more extensive breach on January 12 or 13, 2009, and immediately notified government authorities and the credit card companies whose account numbers had been stolen. On January 20, 2009, Heartland disclosed the theft to the general public. In the immediate aftermath Heartland's stock price fell dramatically (if measured from its highest price during 2008, Heartland's stock suffered a total decline in value of almost 80 percent). It was also found that, over the course of 2008, the hackers managed to steal 130 million credit and debit card numbers issued by over 100 banks and credit unions.
With respect to the securities litigation, the class action complaint was dismissed with prejudice by the federal District Court of New Jersey early this past December. In their complaint, investors alleged fraud on the basis that Heartland (and its officers) had misrepresented the state of its computer network security. The claims of the misrepresentations at issue, which related to Heartland's commitment to maintain high levels of data security, were made after Heartland discovered the breach but before the breach was disclosed to the public. Upon considering Heartland's motion to dismiss (and the proofs necessary to sustain a case of securities fraud), the court found that the security breach alone did not demonstrate that the company failed to "place significant emphasis on maintaining a high level of security." The court also concluded that the facts alleged in plaintiffs' complaint did not support an inference that Heartland failed to make serious efforts to protect its computer network from security breaches. In this respect, the court further observed that after-the-fact speculation by employees within the company did not support an inference that the company was consciously or recklessly dissembling information when it stated that the company treated security "as one of its central concerns."
Moreover, the court reiterated that there is no general duty on the part of issuers of public securities to disclose every material fact to investors (citing In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1432 (3d Cir. 1997)). As such, the court found that, since the Heartland defendants were not alleged to have made any misleading statements, they never had a duty to disclose the 2007 breach. The fate of this case was further sealed by the court's ruling that the case be dismissed with prejudice, as it appeared that further specificity would not cure the deficiencies in plaintiffs' complaint, so amendment would be futile.
Heartland's other security breach actions are now venued in a Texas federal district court, which is where those cases were transferred by the Judicial Panel on Multidistrict Litigation in June 2009. In August 2009, a case management order was entered in the consolidated actions separating "consumer cases" from "financial institution" cases. The cases were placed on separate litigation tracks, but both now appear to be headed toward settlement.
With respect to the consumer cases, in late December of this past year, Heartland announced that it would pay several million dollars to settle this litigation, although the settlement would be subject to court approval. The proposal is for Heartland to pay between $1 million and $2.4 million to class members who can document losses sustained when their card data was compromised by the breach. Heartland also announced that it would spend up to $1.5 million to notify the class of the settlement and up to $760,000 for attorneys' fees. However, Heartland also reserved the right to terminate the settlement if 2,500 or more class members requested exclusion or if the notification costs exceeded $1.5 million.
As for the financial institution cases, Heartland also filed a motion to dismiss the master complaint in that litigation in its entirety. The motion was filed in late October of last year and its outcome is uncertain. With its motion to dismiss pending, Heartland announced, in mid-December of last year, a settlement agreement with American Express. Under the agreement, Heartland will pay American Express $3.6 million, resolving all intrusion-related issues between the two parties. On the heels of that settlement, just last week, Heartland, together with its acquirers and Visa (more specifically Visa U.S.A., Inc.; Visa International Service Association; and Visa Inc.), entered into a settlement and announced a proposed "Alternate Recovery Offer," that purports to provide the impacted Visa card issuers (i.e., select financial institution plaintiffs) with a mechanism, or settlement program, to obtain "prompt and certain recovery" for their losses. Subject to certain conditions, Visa card issuers that opt in to the settlement program would release all claims related to the subject data breach and receive their "alternate recovery" by February 25, 2010.
Under the settlement, Heartland has agreed to provide up to $60 million to fund the settlement program, subject to certain conditions. The conditions include participation in the settlement program by at least 80 percent of the relevant Visa issuers, who have until January 29, 2010, to opt in to the program. Under the settlement, Heartland is also entitled to a credit in the amount of $780,000 previously paid by its acquirers to Visa for intrusion-related fines. As such, all eligible Visa issuers who participate in the settlement program will receive a portion of the specified recovery.
If the settlement program is successful, the portion of recovery received by participating Visa issuers will be determined through procedures detailed in the settlement and disclosed in the offers made to Visa issuers this month. Each issuer's potential recovery is to be measured, and to some degree is endorsed, by calculations utilized and approved by Visa. It is also possible that Heartland and issuers from other major credit card companies (such as MasterCard and Discover) will continue to move in this direction. If not, then we can expect a motion to dismiss filed by Heartland to move forward, with new rulings to shape the landscape of data breach litigation.