The Fifth Circuit Court of Appeals recently held that a company may be liable for weak cybersecurity measures that cause another party economic injury, even if there is no contractual relationship between the parties. This holding could signal an expansion in cyber liability and is yet another reason for companies that manage sensitive data to ensure they have effective cybersecurity measures in place.

The case, Lone Star National Bank NA, et al. v. Heartland Payment Systems, Inc., arises from perhaps the most notable payment card data breach in history. In 2008, hackers infiltrated the network of Heartland Payment Systems, Inc., a payment card processor, and gained access to the payment card information of millions of consumers. As a result, the banks that had issued payment cards to affected consumers (“Issuing Banks”) allegedly suffered economic losses in replacing compromised payment cards and refunding consumers for transactions that were fraudulently charged to their accounts.

The Issuing Banks did not have a direct contractual relationship with Heartland. The only relationship between the parties was their mutual involvement in the “web of contractual relationships established by Visa and MasterCard.” The Issuing Banks had entered into agreements with Visa and MasterCard that allowed them to issue payment cards to their customers. Heartland, on the other hand, had entered into agreements that allowed it to process transactions on behalf of acquiring banks. (An “acquiring bank” is one that processes credit or debit card payments for merchants.) Heartland’s agreement with the acquiring banks required Heartland to comply with Visa and MasterCard regulations regarding the security of payment card information.

Following the breach at Heartland, the Issuing Banks sued Heartland for its alleged negligence in not securing their customers’ payment card data. The district court dismissed the negligence claims and denied the Issuing Banks any recovery for the economic losses associated with replacing payment cards and reimbursing fraudulent charges. According to the district court, the economic loss doctrine precluded tort recovery for purely economic losses and limited the Issuing Banks’ remedies to those provided by the Visa and MasterCard regulations that governed their participation in the payment card industry.

The Fifth Circuit reversed and remanded. Acknowledging that the economic loss doctrine generally precludes tort recovery and limits a plaintiff’s recovery for purely economic damages to contractual remedies, the Fifth Circuit nonetheless found that under New Jersey law the doctrine “does not bar tort recovery where the defendant causes an identifiable class of plaintiffs to which it owes a duty of care to suffer economic loss that does not result in boundless liability.”

The court went on to hold that the Issuing Banks were an “identifiable class” and that allowing them to recover against Heartland under tort theories would not expose Heartland to boundless liability. “The identities, nature, and number of victims are easily foreseeable,” the court held, because the Issuing Banks are “the very entities to which Heartland sends payment card information.” The court also found that, given the relationship between the parties, precluding the Issuing Banks from recovering under tort theories would leave them with “no remedy for Heartland’s negligence, defying notions of fairness, common sense and morality.”

The Fifth Circuit’s opinion could signal an expansion in cyber liability. The concept of an “identifiable class” to whom defendants may owe a duty is not well defined and will be subject to fact-specific interpretation by courts in the future. Thus, companies found to be negligent in their cybersecurity practices could be held liable for losses suffered by unrelated parties. Given this development, companies have yet another incentive to ensure they comply with cybersecurity industry standards and best practices.