HOUSTON (12/15/11)--A U.S. District Court judge in Houston has dismissed most financial institutions' complaints of negligence and breach of contract stemming from Heartland Payment Systems Inc.'s data breach, but left open the possibility that financial institutions in the case could file amended complaints.
Heartland revealed in January 2008 that its system had been breached and that roughly 130 million credit and debit card accounts, including thousands of credit union member accounts, had been compromised in one of the largest data breaches ever recorded. The breach spawned a variety of lawsuits by both consumers and financial institutions, which replaced the cards of the compromised accounts.
Financial institutions' suits against Heartland had been consolidated into a single case while consumers' lawsuits were consolidated into a separate case.
The ruling by U.S. District Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas, Houston division, in the financial institutions' suit found in favor of Heartland on all counts except on a claim brought under the Florida Deceptive and Unfair Trade Practices Act, but left open the ability to amend the complaints in several areas.
- Dismissed with prejudice and without leave to amend the claims for negligence and for violation of the New Jersey Consumer Fraud Act, the New York consumer protection law, and the Washington Consumer Protection Act.
- Dismissed without prejudice and with leave to amend on these claims: breach of contract, breach of implied contract, express misrepresentation, negligent misrepresentation based on nondisclosure, and violations of several state consumer laws in California, Colorado, Illinois and Texas.
- Denied the motion to dismiss on a claim brought under the Florida Deceptive and Unfair Trade Practices Act. That act's purpose, said the court ruling, is "to protect the consuming public and legitimate business enterprises" from "unfair methods of competition, or unconscionable, deceptive, or unfair acts or practices in the conduct of any trade or commerce."
In the 62-page decision, Judge Rosenthal indicated that the financial institutions were not protected as "third-party beneficiaries" in contracts between Heartland and its two acquiring banks, KeyBank and Heartland Bank; were not protected under the contracts between Heartland and the major card brands, such as Visa, MasterCard and D; and Discover; and were not consumers who could claim misrepresentation or negligence under various state consumer protection laws.
"Unlike the plaintiffs in Hannaford Brothers
[another data breach case], and like those in Hammond
, the financial institution plaintiffs do not allege a direct contract relationship with Heartland that would plausibly suggest the mutual assent necessary for an implied contract. The financial institution plaintiffs' contracts are with Heartland clients, not Heartland. The pleadings allege that the financial institution plaintiffs have at most an indirect relationship with Heartland through Heartland's processing of transactions made with payment cards that they issued. The implied contract claim is dismissed," wrote the judge.
Several credit unions were among the financial institutions that filed original complaints related to the breach. They included GECU, a $1.146 billion asset credit union in El Paso, Texas; MidFlorida FCU, a $1.283 billion asset credit union in Lakeland Fla.; Matadors Community CU, a $123 million asset credit union in Chatsworth, Calif. They joined Amalgamated Bank of New York, N.Y., and Farmers State Bank, Marcus, Iowa, among others. (News Now
May 27, 2009).
Other suits filed against Heartland involved PBC CU, West Palm Beach, Fla.; Gulf Winds FCU, Pensacola, Fla.; Alabama Rural Electric FCU, Montgomery, Ala., and First Castle FCU, New Orleans.
More than 560 financial institutions, including at least 178 credit unions, had to reissue credit and debit cards as a result of the breach. Heartland reached several settlements last year with Visa and MasterCard and Discover, which also had sued on behalf of their financial institution clients.