NEW ORLEANS (2/25/13)--Seven credit unions and banks have asked a federal appellate court in New Orleans to reverse the dismissal by a lower court of their lawsuit against Heartland Payment Systems Inc. over losses from a data breach at the payments processor in 2008.
The motion was filed Feb. 8 in the U.S. Court of Appeals for the Fifth Circuit by four credit unions--Sea Board FCU, Bucksport, Maine; O Bee CU, Tumwater, Wash.; PBC CU, West Palm Beach, Fla., and Pennsylvania State Employees CU, Harrisburg, Pa.--and three banks--Lone Star National Bank, Amalgamated Bank and First Bankers Trust Co.
The lower court, the U.S. District Court for the Southern District of Texas in Houston, had dismissed the case, saying that the financial institutions were not protected as "third-party beneficiaries" in contracts between Heartland and its two acquiring banks; were not protected under the contracts between Heartland and the major card brands, such as Visa, MasterCard and Discover; and were not consumers who could claim misrepresentation or negligence under various state consumer protection laws (News Now
Dec. 15, 2011).
The motion to dismiss makes three arguments:
- Heartland owed the issuing banks a duty to take reasonable measures to avoid the risk of a foreseeable intrusion into its computer network and theft of the confidential payment card data, and New Jersey law applies to appellants' negligence claim.
- The complaint satisfies applicable pleading standards by noting specific facts, including: a Visa executive's statement that the breach would not have occurred if Heartland had been vigilant in maintaining its compliance with applicable security standards; a statement by Heartland' s president that it could have done more to prevent the breach; the removal of Heartland from Visa's Payment Card Industry Data Security Standard-compliant entities; and fines assessed by MasterCard for not taking appropriate security measures.
- None of the financial institutions are collaterally estopped from pursuing their negligence claims against Heartland because their claim is for Heartland's failure to adequately monitor its own security systems.
Heartland 's data breach--one of the largest ever recorded--compromised roughly 130 million credit and debit card accounts, including thousands of credit union member accounts. More than 560 financial institutions, including at least 178 credit unions, reissued credit and debit cards as a result of the breach.
Both consumers and financial institutions filed lawsuits. Financial institutions' suits were consolidated into a single case while consumers' lawsuits were consolidated into a separate case. Heartland reached several settlements with Visa, MasterCard and Discover, which also had sued on behalf of their financial institution clients.