Heartland Payment Systems Inc. has regained its financial footing since its infamous 2008 security breach and the ensuing flood of lawsuits, but analysts say recent court rulings in the case leave some important liability issues unresolved.
Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas on Dec. 9 dismissed all but one of the negligence claims banks brought against Heartland for the security breach it announced in January of 2009, stating that the banks failed to properly state their damage claims.
Nine banks filed suit against Heartland in the Texas district, where the Princeton, N.J.-based processor operates data centers.
In a 62-page ruling, Rosenthal dismissed the banks’ claims of negligence and failure to meet contractual obligations.
But Heartland is not off the hook, because Rosenthal left room for the banks to file amended breach-of-contract complaints in the future.
In the months following the 2008 security breach, media reports said hackers had infiltrated the Heartland network over a period of several months, stealing data from some 130 million cards, making it one of the largest breaches involving payment cards.
Heartland in 2010 settled consumer claims to the tune of $4 million and agreed to pay up to $175 to individuals for out-of-pocket expenses related to obtaining new cards, or for unreimbursed charges stemming from fraudulent card-use. Heartland also agreed to pay up to $10,000 to individuals subjected to identity theft from the breach.
Heartland executives were unavailable to comment on the Texas ruling.
Rosenthal’s ruling that Heartland had no direct or implied contractual obligation with the banks raises certain new questions, Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, tells PaymentsSource.
“It’s almost as if the breach claims were dismissed on a technicality,” Riley says, noting that the scope of liability surrounding processors and issuing banks after breaches remains undefined.
But analysts agree a couple of silver linings emerged from Heartland’s breach.
“A positive that came out of this was that Heartland addressed it quickly by taking an aggressive stance with end-to-end encryption,” Riley says. “When you think about where fraud issues lie now, that was important.”
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource that Heartland “became a champion” of pushing for higher levels of Payment Card Industry security standards after the breach.
“As a result, we have not seen any major breaches of that magnitude since,” McNelley says. “The hackers realize if they are going to go that big, they are going to get caught.”
Unfortunately, hackers are not stopping their attacks but instead are just seeking smaller prey, McNelley notes.
“The number of breaches has gone up seven-fold in the past year, but the number of records being compromised is down,” she adds.
And in the wake of the Heartland breach and its legal aftermath, processors worldwide learned that being current with PCI compliance serves as a good defense in their favor if a breach occurs, Riley notes.
But simply passing PCI compliance audits is not foolproof insurance against the growing hacker threat, Heartland chairman Robert Carr warned a few months after the breach as he outlined a more aggressive security stance for his company (
What do you think about this? Send us your feedback. Click
