Having spawned lawsuits by shareholders, consumer
cardholders and financial institutions, the security breach at
Heartland Payment Systems has undoubtedly been a major headache for
the payment processor. The breach, which affected the system used
to process Visa®, MasterCard®, American Express® and
Discover® Card transactions, and reportedly resulted in the
theft of up to 130 million credit and debit card numbers, is
believed to be the largest data breach in US history.
In its aftermath, consumer cardholders and financial
institutions launched class action lawsuits against Heartland for
losses resulting from the breach. To settle the consumer cardholder
class actions, Heartland has reportedly agreed to pay up to $2.4
million to class members who submit valid claims. Under the
proposed settlement, Heartland will also cover
settlement-administration costs, including up to $1.5 million for
the costs of providing notice to the settling class and up to
$760,000 for legal fees. In addition, Heartland has "agreed to
submit the report of an independent expert on Heartland's
actions and plans to enhance the security of its computer
system." The settlement is subject to court approval.
Heartland shareholders also brought a class action against the
company and two senior executives, alleging securities fraud. They
claimed that Heartland had fraudulently misrepresented the general
state of security at Heartland in earnings calls and securities
filings. In addition, they alleged that Heartland had concealed the
SQL injection attack that eventually led to the breach. Heartland
was successful in getting that action dismissed by the courts.
More recently, Heartland announced that it had reached a
settlement with Visa Inc. and American Express over the security
breach. Accordingly to media reports, Heartland will pay Visa up to
$60 million US and American Express up to $3.6 million US to cover
breach-related expenses incurred by the issuers. The Visa/Heartland
settlement was contingent upon a number of conditions, including
acceptance by financial institutions representing 80 per cent of
the Visa-branded credit and debit cards considered to have been
placed at risk of compromise. Heartland has indicated that that
condition has since been fulfilled, as the acceptance rate was over
97 per cent. The Heartland settlement eclipses the $40.9-million US
pact between TJX and Visa® following the security breach of
TJX's computer systems.
McCarthy Tétrault Notes
As evidenced by the Heartland saga, security breaches can give
rise to a plethora of litigation by different stakeholders. In
Canada, they can also result in investigations by privacy
commissioners. Responding to and settling threatened or actual
legal and regulatory action is costly and time-consuming for the
companies involved. The Heartland saga reinforces the need for
companies to implement measures to prevent breaches and be vigilant
in adequately monitoring, auditing, testing and updating their
security measures. It also highlights the importance of having a
clear policy in place to respond to breaches in a timely manner,
should they occur.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).