In an indication of the legal troubles companies can find themselves in over data breaches these days, several banks and credit unions have begun suing Heartland Payment Systems over its recently disclosed data breach.
In the six weeks since the potentially-massive breach was disclosed , eight banks and credit unions have filed lawsuits against Heartland over its alleged failure to take adequate measures for protecting credit and debt card holder data.
Heartland said on January 20 that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of people.
The breach, thought to possibly be the biggest ever disclosed, has already affected over 500 financial institutions, including a handful in the Bahamas, Bermuda and Canada.
The lawsuits seek compensation from Heartland for the costs the financial institutions say they’ve had to bear in notifying affected customers about the breach, and to reissue them new payment cards.
The lawsuits also claim damages from Heartland for costs of the alleged fraud the banks claimed have resulted from the breach.
One of the lawsuits was filed by Chimicles & Tikellis LLP in Haverford, Pa. on behalf of Amalgamated Bank in New York, Matadors Community Credit Union of Chatsworth, Calif., GECU in El Paso Texas, MidFlorida Federal Credit Union in Lakeland, Fl, and Farmers State Bank in Marcus, Iowa.
Filed in federal court in New Jersey, the suit charged Heartland with violating the state’s consumer protection statutes and for breach of implied contract.
The complaint, filed on Feb. 20, also suggested that Heartland should have been the one sending out the notifications to the affected customers, not the card-issuing banks.
“Instead of actively participating in resolving the problems that were caused as a result of its negligence and other misconduct, Heartland has essentially taken a backseat and shifted this burden to Plaintiffs and class members,” the complaint alleged.
Joseph Sauder, a partner with Chimicles & Tikellis, said the lawsuit seeks to recover, on behalf of all affected financial institutions, “the damage they have incurred as a result of the breach. It includes the cost of reissuing the cards and fraudulent activity.”
Chimicles & Tikellis is also representing a resident of Woodbury, Minn. and others similarly affected in a separate class-action lawsuit against Heartland.
Sohmer & Stark of Fairfield, N.J. filed another suit on behalf of Kansas-based TriCentury Bank and Great Southern Bank of Missouri. Its complaint alleged that Heartland had been negligent in allowing malicious code to be place on its processing systems and networks, and in properly managing the encryption of cardholder data.
The lawsuit also noted Heartland’s omissions in failing to implement or comply with the Payment Card Industry Data Security Standard, which is mandated by the card companies.
Lone Summit Bank in Lake Lotawana, Missouri filed another suit claiming the major reason why the bank and other similar financial institutions were card issuers was because of safeguards they believed were built into the payment system.
The bank’s complaint pointed to the card industry’s Card Operating Requirements as a minimal standard that Heartland should have been complying with in protecting card holder data.
The regulations were designed to provide safeguards for merchants who accept payments by way of debit or credit cards, the complaint noted. Without these safeguards, the bank “certainly would not participate in the system,” the lawsuit alleged.
Heartland did not immediately respond to a request for comment.
It is not yet clear how successful such lawsuits will be. The massive breach disclosed by TJX Companies Inc in 2007 also triggered a similar wave of lawsuits against the retailer.
But attempts at getting a federal court in Boston to grant class-action status for numerous suits brought against TJX by various banks and associations proved futile. TJX offered about $41 million to settle claims brought against it by Visa card issuers affected the breach.
Similarly, in 2006 a federal court threw out a lawsuit filed by the Pennsylvania State Employees Credit Union (PSECU) against Fifth Third Bancorp.
The PSECU had hoped to recover about $100,000 it said it had spent on canceling and reissuing 235,000 Visa credit cards compromised in a security breach at BJ’s Wholesale Club Inc of Natick, Mass. in 2004. Fifth Third had been sued in its capacity as the so-called acquiring bank that had allowed BJ’s to accept card transactions.
Class-action lawsuits on behalf of consumers in data breach cases have not fared much better.
In 2007, a U.S. District Court in Minnesota dismissed a lawsuit brought by an individual whose personal data — and that of more than 550,000 individuals — had been compromised when a laptop containing the information was stolen from an employee at Brazos Higher Education Service Corp. in Austin.
The individual claimed that Brazos was negligent in securing the data because it had not been encrypted.
The court dismissed the claim, saying that Brazos had not violated any of its security obligations under Gramm-Leach-Bliley Act. Similarly, a federal court dismissed a class-action lawsuit against TriWest Healthcare Alliance in Phoenix that same year for the same reason.
The class-action members claimed that they were harmed because TriWest was negligent in allowing several hard-disk drives containing personal information to be stolen from one of its facilities in 2002. The incident exposed personal information about more than 500,000 military personnel.