A federal court has rejected civil claims brought by five credit unions and one bank stemming from the massive 2008 data breach at Heartland Payment Systems that exposed millions of cardholders to fraudulent transactions.
The ruling by the U.S. District Court for the Southern District of Texas appears to end the three-year legal battle by the credit unions and bank, which rejected class-action settlements by Houston-based Heartland with Visa and MasterCard issuers they said amounted to pennies on the dollar and left them with millions of losses to pay themselves.
The plaintiffs in this case are Pennsylvania State Employees Credit Union, PBC Credit Union, O Bee Credit Union, Sea Board Federal Credit Union and Lone Star National Bank.
The group had sued Heartland Bank and KeyBank, merchant acquirers for Heartland, saying those third-party processors of the cards bore responsibility for exposing their cardholders’ information to hackers, but the court dismissed the original suit (
The court, citing previous rulings on third-party responsibility for card breaches in Pennsylvania State Employees Credit Union’s earlier suit against Fifth Third Bancorp; Cumis Insurance Society’s unsuccessful suit in the BJ’s Wholesale Club breach, and separate suits in the huge TJX Cos. breach, agreed to KeyBank’s motion for summary judgment to dismiss the breach-of-contract and negligence claims.
The credit unions also claimed that they are joint venturers with KeyBank through their common membership in the Visa and MasterCard networks, that KeyBank owed a fiduciary duty to them through the joint venture, and that KeyBank breached this duty by failing to monitor Heartland adequately. The court said to be joint venturers they had to allege the sharing of profits and losses, and the credit union plaintiffs failed to do so.
“The financial institution plaintiffs' amended complaint fails to plead that the Visa and MasterCard networks created a joint venture among the issuers and acquirers, which include the financial institution plaintiffs and KeyBank,” wrote the court. “The breach-of-fiduciary-duty claim again fails as a matter of law.”
The credit unions and bank were the few who opted out of a class settlement under which Heartland paid Visa and MasterCard issuers a certain amount to settle claims in exchange for a promise not to sue.
The Heartland breach, as it turned out, was closely tied to numerous other large-scale data breaches at BJ’s Wholesale Club, TJX Cos., Sports Authority, Barnes & Noble, Dave & Buster’s, Hannaford Brothers, 7-Eleven, and OfficeMax because they were all engineered by a former government informant named Albert Gonzalez, who was sentenced in 2010 to 20 years in prison (
In a separate ruling brought by cardholders in the Heartland case, the court agreed to order Heartland to pay $700,000 in legal fees and expenses for a class of cardholders, but not to award any damages because none of the cardholders could demonstrate they suffered significant damages.
What do you think about this? Send us your feedback.
