Lawsuits over Heartland data breach folded into one

Computerworld - A lawsuit consolidating 16 separate class-action complaints brought by financial institutions against Heartland Payment Systems Inc. has been filed in U.S. District Court for the Southern District of Texas.

The claims stem from the massive data breach disclosed by Princeton, N.J.-based Heartland in January. The complaints allege that the payment processor was negligent in its duty to protect card holder data.

The amended complaint includes for the first time several statements that Heartland is alleged to have made regarding the controls it had in place to protect credit and debit card data just prior to the breach. The fact that the company suffered the breach despite its claimed security measures shows that Heartland either negligently or deliberately misrepresented the facts, the lawsuit alleges.

The lawsuit seeks compensation from Heartland for the costs that the financial institutions say they have had to bear in notifying customers about the breach and in reissuing new cards. Among the financial institutions listed are the Pennsylvania State Employees Credit Union, Lone Star Bank of North America and Amalgamated Bank of New York.

"There were multiple lawsuits filed all over the country on behalf of financial institutions, and all of those cases were sent to federal court in Houston" for consolidation, said Joseph Sauder, a partner in the Haverford, Pa., office of Chimicles & Tikellis LLP, a class action law firm. Sauder is one of the lead attorneys representing the financial institution plaintiffs in the lawsuit.

"This complaint incorporates the strongest claims from all of the financial institution class-action lawsuits," Sauder said. "The next step is for Heartland to file a response to this complaint," he said.

Heartland on Jan. 20 disclosed that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of customers. The breach, which is considered the biggest involving payment card data, compromised more than 100 million credit and debit cards.

So far, Heartland has publicly admitted to spending nearly $13 million on breach-related costs, and analysts expect that the incident will cost the company millions more in the coming years. Heartland, one of the biggest payment processors in the U.S., manages about 100 million credit and debit card transactions per month.

The cases were consolidated in federal court in Texas because Heartland's data centers are located in that state, Sauder said. A "separate track" of cases involving consumer lawsuits against Heartland is also being heard in the same court, Sauder said.

In September, Albert Gonzalez, 28, of Miami pleaded guilty to the data heist at Heartland and several retailers, including TJX Companies Inc., BJ's Wholesale Club, Hannaford Bros. and the Dave & Buster's restaurant chain. Gonzalez is scheduled to be sentenced in December and faces 15 to 20 years in prison under the terms of his plea agreement.

Heartland did not immediately respond to a request for comment.

Read more about security in Computerworld's Security Knowledge Center.