Court dismisses lawsuit in merchant data-breach case
The legal battle involved a 2004 data breach by BJ's Wholesale Club
Computerworld - Security analysts have for some time now been warning that companies could find themselves becoming targets of costly lawsuits for information security failures. But so far, at least, it has been mostly the plaintiffs who have lost the few cases taken to court.
The latest example is a U.S. District Court's decision late last week to throw out a lawsuit filed by the Pennsylvania State Employees Credit Union (PSECU) against Fifth Third Bancorp. of Cincinnati.
The Harrisburg-based PSECU hoped to recover $100,000 it spent on canceling and reissuing 235,000 Visa credit cards compromised in a security breach at BJ's Wholesale Club Inc., based in Natick, Mass., in 2004.
PSECU had argued that Fifth Third was liable for the costs because it was the bank responsible for processing card transactions for BJ's and should have ensured that the merchant was complying with Visa's security requirements.
PSECU's original lawsuit for breach of contract and negligence also included BJ's. But all of PSECU's claims against BJ's and three of its claims against Fifth Third bank were dismissed last October by the court in Harrisburg.
The same court threw out the one remaining claim against Fifth Third last Friday, saying that PSECU wasn't a third-party beneficiary to the contract between Fifth Third and Visa and was therefore not entitled to seek any card reissuance costs.
"PSECU is at most an incidental beneficiary of the member agreement between Visa and Fifth Third, but an incidental beneficiary has no right to enforce a contract," District Judge William Caldwell wrote in his opinion. "Needless to say, I'm disappointed with the court's ruling," PSECU President Greg Smith said in an e-mailed comment. "It's a little frustrating to know that PSECU was the one party in this situation that kept its word [and] honored its contracts, but when someone else didn't, we're still the one to pay."
As a result of the BJ's breach, Fifth Third has paid almost $900,000 in fraud-related charges to several credit card issuers, according to court documents.
"The court seems to be saying that the Visa system provides relief for issuers who suffered fraud losses, but Visa won't cover the costs of reissuing cards, which is the best defense against fraudulent charges," Smith said.
Stephanie Hagen, a spokeswoman for Fifth Third, said the bank does not comment on litigation issues.
The PSECU is one of several institutions that have filed claims over the BJ's breach. Others include CUNA Mutual Group, Sovereign Bank and Banknorth NA.
The case highlights how "there really is a high barrier for plaintiffs to bring these kind of lawsuits," said Ethan Preston, an attorney atKamber & Associates LLC in New York.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts