Appeals Court Rules Banks Can Sue Heartland Over Card Data Breach

Seven card-issuing banks can sue Heartland Payment Systems Inc. for negligence stemming from the processor’s 2008 data breach, the 5th U.S. Circuit Court of Appeals ruled this week.

Heartland first revealed the data breach in January 2009, later confirming that 130 million credit card numbers had been stolen. The financial institutions' case against Heartland appeared to have reached its conclusion in March 2012, when the U.S. District Court for the Southern District of Texas rejected the civil and negligence claims brought by the issuing banks and credit unions, saying the economic loss doctrine under both Texas and New Jersey law bars such claims.

But a three-judge panel in the New Orleans courtroom of the circuit court revived the negligence claim, saying the banks did not have a contract-based remedy for losses as a result of what the plaintiffs claimed was weak cyber security measures at Heartland. The banks were appealing only the district court’s dismissal of their negligence claim.

In its opinion to "reverse and remand" the district court ruling, judges Emilio Garza, Jerry Smith and Leslie Southwick stated that because there were no contract details regarding breach losses or possible remedies, the issuing banks could file tort claims, or those based on alleged negligence, in New Jersey.

Heartland is based in Princeton, N.J. and also has offices in Houston. The processor has previously argued that it had binding contracts with the banks and their claims should be brought under Texas, rather than New Jersey, law. A Heartland spokesperson declined a request for comment.

"The issuer banks assert that under New Jersey law, the economic loss doctrine does not bar their negligence claim. We agree," Judge Garza states in the ruling. "The economic loss doctrine generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies."

The judges cited previous case law in the New Jersey Supreme Court to support their decision, and explained that a tort claim in this case could apply to contract principles, meaning the banks suffered consequential damage that could have been addressed in a previous agreement.

In addition, Heartland had argued the banks have failed to state a specific damages claim, and should not be allowed to pursue negligence claims on the same issue.

In the documents filed Sept. 3, the plaintiffs listed in the case are: Lone Star National Bank N.A.; Amalgamated Bank; First Bankers Trust Company, National Association; Pennsylvania State Employees Credit Union; Elevations Credit Union; O Bee Credit Union; and Seaboard Federal Credit Union.

"Heartland had reason to foresee the issuer banks would be the entities to suffer economic losses were Heartland negligent," the judges state. "The identities, nature, and number of the victims are easily foreseeable, as the issuer banks are the very entities to which Heartland sends payment card information."

The judges said Heartland would not be exposed to "boundless liability," but rather "to the reasonable amount of loss from a limited number of entities."

As such, the judges ruled that, even absent physical harm, Heartland may owe the issuer banks "a duty of care and may be liable for their purely economic losses."

Heartland spent the end of 2009 and first few months of 2010 reaching breach settlements with major card brands American Express and Visa.

The circuit court judges indicated it was difficult to determine, for the purpose of the negligence claims, if Heartland had actual "contracts" with the major card brands and, if so, what those agreements entailed.

Albert Gonzalez, a Miami hacker, was sentenced to 20 years in prison in 2010 after pleading guilty to charges that he conspired to hack into the Heartland Payment Systems card data. Gonzalez’ name came up again three months ago as part of a ring of hackers who conspired in a worldwide scheme that was targeting major corporate networks to steal card data.

Heartland is not the only major processor that has faced a data breach. Early last year, Atlanta-based Global Payments Inc. revealed that its payment card database had been hacked.