Heartland Security Breach — A Cautionary Tale for Service Providers

Having spawned lawsuits by shareholders, consumer cardholders and financial institutions, the security breach at Heartland Payment Systems has undoubtedly been a major headache for the payment processor. The breach, which affected the system used to process Visa®, MasterCard®, American Express® and Discover® Card transactions, and reportedly resulted in the theft of up to 130 million credit and debit card numbers, is believed to be the largest data breach in US history.

In its aftermath, consumer cardholders and financial institutions launched class action lawsuits against Heartland for losses resulting from the breach. To settle the consumer cardholder class actions, Heartland has reportedly agreed to pay up to $2.4 million to class members who submit valid claims. Under the proposed settlement, Heartland will also cover settlement-administration costs, including up to $1.5 million for the costs of providing notice to the settling class and up to $760,000 for legal fees. In addition, Heartland has "agreed to submit the report of an independent expert on Heartland's actions and plans to enhance the security of its computer system." The settlement is subject to court approval.

Heartland shareholders also brought a class action against the company and two senior executives, alleging securities fraud. They claimed that Heartland had fraudulently misrepresented the general state of security at Heartland in earnings calls and securities filings. In addition, they alleged that Heartland had concealed the SQL injection attack that eventually led to the breach. Heartland was successful in getting that action dismissed by the courts.

More recently, Heartland announced that it had reached a settlement with Visa Inc. and American Express over the security breach. Accordingly to media reports, Heartland will pay Visa up to $60 million US and American Express up to $3.6 million US to cover breach-related expenses incurred by the issuers. The Visa/Heartland settlement was contingent upon a number of conditions, including acceptance by financial institutions representing 80 per cent of the Visa-branded credit and debit cards considered to have been placed at risk of compromise. Heartland has indicated that that condition has since been fulfilled, as the acceptance rate was over 97 per cent. The Heartland settlement eclipses the $40.9-million US pact between TJX and Visa® following the security breach of TJX’s computer systems.

McCarthy Tétrault Notes

As evidenced by the Heartland saga, security breaches can give rise to a plethora of litigation by different stakeholders. In Canada, they can also result in investigations by privacy commissioners. Responding to and settling threatened or actual legal and regulatory action is costly and time-consuming for the companies involved. The Heartland saga reinforces the need for companies to implement measures to prevent breaches and be vigilant in adequately monitoring, auditing, testing and updating their security measures. It also highlights the importance of having a clear policy in place to respond to breaches in a timely manner, should they occur.