This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells’ Washington, DC office
A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.
As early as December 2007, a ring of hackers, led by notorious cyber-criminal Albert Gonzalez, gained access to Heartland’s computer systems and installed programs that allowed them to obtain the payment-card information stored on those systems. The breach continued over the course of many months before Heartland discovered the rogue programs in January 2009, by which time the hackers had already obtained the payment-card information of approximately 130 million consumers.
As a result of the massive breach, one of the largest ever involving payment-card information, numerous lawsuits were filed against Heartland by both consumers whose payment-card information was compromised and financial institutions that issued payment cards to the affected consumers. Those lawsuits were consolidated and split into two tracks, one that addressed the claims of the consumers and one that addressed the claims of the financial institutions.
Heartland has settled the majority of the lawsuits stemming from the breach. Last year, Heartland settled the consumers’ claims, agreeing to pay up to $175 to each consumer to cover out-of-pocket expenses and charges incurred due to the breach and up to $10,000 to victims of identity theft resulting from the breach. Heartland also agreed to settlements with the four major payment card brands and the financial institutions that utilize their networks to issue credit to consumers, agreeing to pay $3.6 million to American Express, $60 million to Visa, $41.1 million to MasterCard, and $5 million to Discover. However, the financial institutions were not bound by these settlements unless they chose to accept their terms. Although most financial institutions did so, some determined that the proposed settlements did not adequately cover their losses from the breach and instead elected to reject the settlements and litigate the matter.
The resulting litigation is an on-going class action lawsuit against Heartland. The financial institution plaintiffs alleged that the breach of Heartland’s computer systems resulted from Heartland’s failure to adequately safeguard its computer systems and caused the plaintiffs to incur significant expenses replacing credit and debit cards and reimbursing fraudulent transactions. The financial institution plaintiffs’ complaint (PDF) asserted claims for breach of contract and implied contract; negligence and negligence per se; negligent and intentional misrepresentation; and violations of the consumer-protection statutes in California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington.
In a December 1, 2011 opinion, Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas granted Heartland’s motion to dismiss (PDF) with respect to all but one of the claims asserted by the financial institution plaintiffs. Judge Rosenthal dismissed the contract claims due to the fact that the plaintiffs were: (1) not in a direct contractual relationship with Heartland; (2) not third party beneficiaries of Heartland’s contracts with other banks; and (3) not entitled to consequential damages. He dismissed the negligence claims because the plaintiffs’ damages were solely economic in nature and thus barred by the economic loss doctrine. The consumer-protection claims were dismissed for various reasons including that the plaintiffs were not “consumers” protected by the state statute.
Heartland’s alleged violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) was the lone claim that survived Heartland’s motion to dismiss. Heartland argued in its motion to dismiss that the plaintiffs lacked standing to assert a claim under the FDUTPA because only consumers, as the word is traditionally used, may assert such claims. In denying Heartland’s motion to dismiss, Judge Rosenthal highlighted that in 2001 the Florida Legislature amended the statutory provision that creates a private right of action for violations of the FDUTPA to use the word “persons” instead of “consumers” when identifying who may bring a claim. To this point, he stated that the “Florida Legislature’s use of word ‘person’ in creating a private right of action suggests a broader reach than the word ‘consumer.’”
Although all of the plaintiffs’ other claims were dismissed, the court granted the plaintiffs leave to amend their claims for breach of contract and implied contract (but only in certain limited situations); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer-protection statutes. However, the claims for negligence and violations of the consumer-protection statutes in New Jersey, New York, and Washington were dismissed with prejudice and without leave to amend. The plaintiffs must file the amended complaint by December 23, 2011.