The U.S. District Court for the District of New Jersey has the six cases on its docket, but a source familiar with the issue said that the count of different cases was up to 15 when cases from all the different venues were included.
The Haverford, Pa.-based law firm Chimicles & Tikellis filed one of the earliest suits near the end of January on behalf of a Minnesota resident representing a class of affected consumers.
"On January 20, 2009-the date of the Presidential Inauguration-Heartland silently issued a press release that publicly revealed for the first time that a data breach had occurred," the firm said in its filing. "In addition to the questionable timing of this disclosure, there are materially misleading statements and omissions contained in Heartland's public description of the breach and its consequences."
Additionally, the Philadelphia firms of Sheller and Berger & Montague have joined with other firms to file suits against Heartland. Berger & Montague was also involved in the data breach case against TJX, according to the firm.
"Heartland failed to contain the breach for several months," the firm said in a court filing. "The breach began as early as May 2008. Visa and MasterCard reportedly alerted Heartland to suspicious card activity in late fall 2008. However, Heartland did not locate and contain the malicious software for several more months. On January 20, 2009, Heartland disclosed on its website that 'last week [mid-January 2009], the investigation uncovered malicious software.'"
"The fact that several months passed between when the breach began in May 2008 and when Heartland was first alerted to suspicious activity in late fall 2008 casts doubt on Heartland's security measures and intrusion-detection systems. Perhaps even more alarming is the fact that malicious software remained on Heartland's network until several months after Visa and MasterCard alerted Heartland to suspicious card activity," Berger & Montague added.
The only case brought by a financial institution so far in the New Jersey district has come from Lone Summit Bank, a state-chartered bank headquartered in Lake Lotawana, Mo.
Lone Summit brought its action on its own behalf and on behalf of "all other similarly situated banks, credit unions, savings and loans, other financial institutions," according to the suit. Lone Summit had not returned calls as of press time.
In its filing, Lone Summit pointed several times to Heartland's alleged delay in following up on Visa's and MasterCard's warnings about the possibility that the firm's card processing system security had been breached.
"Had the Heartland Data Breach been prevented altogether or, at a minimum, contained and/or disclosed sooner, fewer credit and/or debit card numbers would have been compromised and, thus, fewer credit and/or debit cards would have to be canceled and replaced," the bank argued.
Lone Summit said 60 of its cards had to be canceled and reissued, adding it "reasonably anticipates" that number rising in the future. Lone Summit sought unspecified actual damages for the losses it and other class members have suffered, along with injunction against the company to make sure it minimized the likelihood of future breaches. The bank also sought legal expenses and court costs as well.
One of the cases against Heartland was brought by a man who claims to be a member of the $1.1 billion Forum Credit Union, Fishers, Ind.
Kenneth Hinton filed the case on his own behalf seeking a total of at least $250,000 for different damages associated with the breach, alleging fraud under New Jersey's consumer fraud act, negligence, breach of contract (for violating the agreements that would have kept Hinton's data safe) and breach of fiduciary duty.
Hinton has successfully petitioned the court for relief from the usual filing fees associated with bringing a suit of this type. In his petition, Hinton claimed to be homeless in Arlington, Va., and an address listed on the filing came back as a UPS store that rents mailboxes. The phone number listed on the filing, which took messages for Hinton, came back as a cell phone located in Washington, Va., a small town about 70 miles west of Washington, D.C.
As part of his filing, Hinton identified himself as a member of Forum and included a notification about the breach that appeared to have been sent from Forum to members whose accounts were at risk.
A spokesman for Forum said he could not verify Hinton's membership, although he said the communication sounded like something Forum had sent.
When contacted about the suit, Hinton said he chose to file on his own behalf because "class actions were for people who are willing to be part of a class," adding that he thought the circumstances of his case were unique and merited individual attention.
When asked about the homeless petition, Hinton said that had been accurate since he had no fixed address at the time of the filing and that he had lost money to fraud from the breach of his account data. He declined to estimate how much he had lost because the losses were still being assessed.
Court records also showed February to have been a litigious month for Hinton. At roughly the same time of his Heartland filing, he also filed a lawsuit against the Peanut Corp. of America, alleging that some peanut products that Peanut Corp. distributed and that he purchased from a CVS in Arlington, had made him ill. Symptoms, Hinton alleged, included stomach pains, diarrhea, nausea, vomiting, insomnia, cephalagia (headache) fatigue and post-traumatic stress disorder. Hinton also alleged he was found to be infected by salmonella bacteria.
But a federal judge dismissed Hinton's suit against PCA two days later on grounds of lack of jurisdiction. Hinton did not claim a profession in court papers but said that he sometimes files lawsuits.