Heartland's $60M breach settlement offer not enough, lawyers say

Financial institutions spent a lot more than that in breach-related costs, they argue

Lawyers representing financial institutions in a data breach lawsuit against Heartland Payment Systems Inc are calling a recently proposed $60 million settlement offer from the company as way too meager.

In a statement released on Wednesday, the lawyers said the proposed settlement would only pay banks and credit unions "pennies on the dollar," while releasing Heartland and other potentially liable parties from further legal action.

Princeton, NJ-based Heartland announced in January 2009 that unknown intruders had broken into its systems and stolen card data. More than 130 million credit and debit cards were believed to have been compromised in the intrusion, making it the biggest ever involving payment card data.

Hundreds of banks were affected by the breach. Many of them later sued the payment processor seeking to recover card-reissuance and fraud-related costs.

Earlier this month, Heartland and Visa announced a settlement under which Heartland said it would pay up to $60 million to compensate card issuers for breach-related costs. The proposed settlement requires card issuers to release Heartland and Visa from any additional liability.

Banks and credit unions affected by the breach have until January 29th to decide if they want to accept the terms of the settlement or not. The proposed settlement will go into effect if at least 80% of affected Visa card issuers agree to it.

In a joint statement with Heartland, a Visa executive touted the settlement offer as a way for card issues to get an "an immediate recovery" of any losses they may have incurred from the Heartland intrusion.

On Wednesday, Michael Caddell, a lawyer representing several financial institutions in a putative class-action against Heartland, called the settlement offer anything but fair to those affected by the breach. In total, more than 86 million Visa payment cards were compromised in the Heartland data breach.

The costs that banks incurred to replace each of those cards and costs stemming from fraudulent transactions far exceed the $60 million being offered by Heartland, said Cadell who is a partner at Caddell & Chapman, a Houston-based law firm. The amount is even less than Visa's own internal estimates which pegs financial damages to banks as a result of the breach at $140 million, Caddell said.

Visa started sending out settlement offers to individual banks and credit unions last week, Caddell said. Based on information from clients the offers appear to be ranging anywhere from around 1% of the actual damages incurred up to around 30%, he said.

On average the settlement amounts being offered are less than 10% of the actual damages and are being calculated based on an internal Visa operating rule, Caddell said. One Caddell client that spent over $1 million in breach-related costs has been offered just $54,000 by Visa by way of compensation, he said.

"Most of our clients have said they are going to absolutely reject the settlement," Caddell said. "They are laughing at how ridiculously low the offers are."

The condition that Heartland and other potentially liable parties be absolved from further liability is also troubling, Caddell said.

Though Heartland has downplayed its ability to pay more money, its acquiring banks KeyBank has $97 billion of assets and Heartland Bank has over $1 billion of assets, he said. An acquiring bank is a bank that authorizes and accepts card transactions on behalf of a merchant or processor. In response to the proposed settlement offer, a lawsuit has been filed in Houston federal court seeking to hold KeyBank and Heartland Bank liable for damages caused by the Heartland data breach.

Caddell also questioned the timing of the offer. The numerous lawsuits that have been filed against Heartland have been consolidated and are being heard in a federal court in Houston. Though Heartland has filed a motion to dismiss the case, it is quite possible that the judge will allow it to stand, Caddell said.

If that were to happen, the plaintiffs would be in a position to get more information on the circumstances surrounding the breach through the discovery process, he said.

A spokesman for Visa declined to comment on the complaints over the settlement offer. A Heartland spokeswoman said it would comment soon.

The brewing dispute over what some might have seen as a generous settlement offer by Heartland underscores the high-costs that companies can face from data breaches. The $60 million offer by Heartland is bigger than a similar offer made by TJX Companies Inc. when it suffered a massive data breach in 2007.

In that case, TJX said it would fund up to $40.9 million for payments to Visa card issuers who were affected by the breach.

In addition to the $60 million Visa settlement offer, Heartland has already agreed to pay American Express $3.6 million to settle charges relating to the breach. In addition the company has publicly stated that it has spent or will be spending close to another $13 million in breach related costs -- a big portion of it to pay a MasterCard fine.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .

Copyright © 2010 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon