Hack on Heartland May Support Negligence Suit
(CN) - The 5th Circuit revived negligence claims related to theft by hackers of millions of credit card numbers processed by Heartland Payment Systems.
Lone Star National Bank and six other credit card issuers had sued Heartland last year in Houston, claiming that the massive data breach caused them to replace compromised cards and reimburse customers for fraudulent charges.
Although the financial institutions lacked a written contract with Heartland, they claimed to be third-party beneficiaries of Heartland's contracts with other entities under the Visa and MasterCard systems.
A federal judge dismissed the negligence claim against the New Jersey-based Heartland, holding that it is barred under the economic doctrine of Garden State law.
The court also reasoned that, by entering into the web of contracts established by Visa and MasterCard, the banks contracted for the specific remedies under Visa and MasterCard regulations and could therefore not suit against another participant in the same web.
A three-judge panel with the New Orleans-based federal appeals court unanimously reversed on last week.
The economic loss doctrine does not preclude the negligence claim at the motion-to-dismiss stage under New Jersey law in cases where the plaintiff "suffers economic harm without any attendant physical harm," according to the ruling.
Indeed there is state case law where a defendant still owes a duty of care to take reasonable measures to avoid the risk of causing economic damages to plaintiffs whom the defendant knows are likely to suffer damages from its conduct, the panel found.
"Accordingly, under New Jersey law, the economic loss doctrine does not bar tort recovery where the defendant causes an identifiable class of plaintiffs to which it owes a duty of care to suffer economic loss that does not result in boundless liability," Judge Emilio Garza wrote for the panel.
Precluding a tort remedy would also leave the plaintiffs with no remedy for Heartland's alleged negligence, defying "notions of fairness, common sense and morality," according to the ruling.
"It is not clear whether Heartland's contract with the acquirer banks, which require Heartland to comply with Visa and MasterCard rules and regulations, provide the [plaintff] issuer banks with compensation mechanisms for losses that may be caused by Heartland's negligence," Garza wrote. "Though Visa and MasterCard investigated Heartland's data breach and directed its members to avoid using Heartland's services for a period of time, it is not clear that Heartland can take part in the dispute-resolution mechanisms solely by virtue of agreeing with the acquirer banks to be bound by the regulations."
Garza was mindful of the New Jersey Supreme Court long being a leader in the expansion of tort liability, citing case law by the 3rd Circuit that noted how Garden State courts have consistently held that contract law is better suited to resolve disputes "between parties where a plaintiff alleges direct and consequential losses that were within the contemplation of sophisticated business entities with equal bargaining power and that could have been the subject of their negotiations."
A spokesperson for Heartland declined to comment for this story.
The other plaintiffs to the case are Amalgamated Bank, First Bankers Trust Co., Pennsylvania State Employees Credit Union, Elevations Credit Union, O Bee Credit Union and Seaboard Federal Credit Union.
Computer hacker Albert Gonzalez, 31, of Miami, was sentenced to 20 years in federal prison in 2010 for his role in hacking Heartland's systems. Gonzalez, aka "segvec," "soupnazi" and "j4guar17," pleaded guilty in Boston to two counts of conspiracy to gain unauthorized access to payment card networks.
Other victims of the hack included retailers 7-Eleven and Hannaford Brothers.
According to the plea agreement, Gonzalez leased or otherwise controlled several servers, or "hacking platforms," and gave other hackers access to the servers, knowing they would use them to store malicious software, or "malware," and launch attacks against corporate victims.
Investigators also found malware used against several of the corporate victims on a server Gonzalez controlled.
Gonzalez tested malware by running multiple anti-virus programs to see if the programs detected the malware. According to the plea agreement, Gonzalez and his co-conspirators knew the malware could steal tens of millions of credit and debit card numbers, affecting more than 250 financial institutions.
In September 2009, Gonzalez pleaded guilty to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft. He also hacked into TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez pleaded guilty in September 2009 as well to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster's restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York.