A federal judge has dismissed most of the complaints financial institutions, including credit unions, brought against Heartland Payment Systems for its January 2009 card data breach.
The credit unions and banks that brought suit were ones that declined to participate in a previous settlement agreement that the card brand Visa negotiated and sponsored.
The breach has been recognized as one of the largest ever, compromising information from more than 100 million U.S. consumers. Litigation was brought by banks and credit unions and then consolidated into one complaint heard by U.S. District Judge Lee Rosenthal in the U.S. District Court for the Southern District of Texas.
The credit unions that brought original actions included the 11,000-member, $130 million Matadors Community Credit Union, headquartered in Chatsworth, Calif.; the $1.8 billion, 303,000-member GECU headquartered in El Paso, Texas; and the $1.6 million, 151,000-member MidFlorida Credit Union, headquartered in Lakeland, Fla.
In her 62-page decision, Judge Rosenthal ruled that the plaintiffs' claim failed because they were not specifically protected in contracts between Heartland Payment Systems and its acquiring banks, Heartland Bank and KeyBank. Nor, the judge decided, were financial institutions covered in contracts between Heartland and the major card brands.
The judge also dismissed claims of alleged misrepresentation by Heartland and violations of different states’ consumer protection law as well as negligence. All told, a total of nine of the 10 complaints were dismissed, but in some of them, Rosenthal said the court would allow the plaintiffs to file amended complaints that might better present their claims.
The plaintiffs have until Dec. 23 to file an amendment to their master complaint.
The financial institutions charged Heartland with breach of contract; negligence; breach of implied contract with the FI's; negligence per se; negligent misrepresentation; intentional misrepresentation; and violations of consumer protection laws in New Jersey, where Heartland is headquartered, and from other states as well.
On the breach of contract allegations, which were directed against Heartland's contracts with Heartland Bank and KeyBank, Rosenthal agreed with the defendants that the financial institutions were not third-party beneficiaries to the contracts.
“The plaintiffs allege that Heartland’s contracts with Heartland Bank and KeyBank required Heartland to take appropriate steps to safeguard the sensitive financial information of the plaintiffs’ customers,” Rosenthal wrote. “The plaintiffs assert that they are intended third-party beneficiaries to these contracts. Heartland disagrees. According to Heartland, the contracts do not show intent primarily to benefit the plaintiffs. Even if the contracts showed such intent, Heartland argues, the plaintiffs still cannot recover because they are not creditor or beneficiaries of the contracts. Heartland further contends that the incorporated Visa and MasterCard regulations preclude third-party claims. Finally, Heartland argues that even if the plaintiffs are third-party beneficiaries of the contracts, the allegations are too conclusory to state a plausible breach of contract claim.”
Rosenthal wound up agreeing with Heartland that the contract with Heartland Bank did not cover the financial institutions as third-party beneficiaries, nor did the one with Keybank.
“This court previously reviewed Ohio law on third-party beneficiaries in the related case against KeyBank and found the complaint insufficient to state a claim that the issuer banks were third-party beneficiaries to the contract between KeyBank and Heartland,” Rosenthal recounted in the ruling. “The contract language itself did not show intent to benefit third parties. Because Ohio law, unlike Missouri law, allows consideration of evidence beyond the contract terms to determine third-party beneficiary status, it was appropriate to grant the issuer banks leave to amend."