HOUSTON (CN) – Heartland Payment Systems resolved a privacy dispute with customers whose accounts were hacked with a settlement of just $1 million, a new court order states.
“The common factual question in this case is what actions Heartland took before, during, and after the data breach to safeguard the consumer plaintiffs’ financial information,” U.S. District Judge Lee Rosenthal said in an order approving the settlement.
The theft led numerous parties to complain of Heartland’s failure to adhere to industry security standards in providing payment-card processing services. The Southern District of Texas consolidated the ensuing civil complaints and divided them into two tracks of litigation: consumer complaints and financial institution complaints.
Rosenthal concluded that the consumers’ class action claim for violations of the Fair Credit Reporting Act satisfied the requirement for typicality. “Because this claim revolves around Heartland’s conduct, as opposed to the characteristics of a particular class member’s claim, no individualized proof will be necessary to determine Heartland’s liability under the act,” the judge wrote Tuesday.
Rosenthal found that the class counsel and class representatives proved to be adequate. “Class counsel have been vigorous in representing the class, as demonstrated by their successful negotiation of a settlement with Heartland, which initially was reluctant to settle,” the 74-page order states.
No individual class member has a significant stake, so detachment from the class representatives is understandable, Rosenthal found.
“Given the minimal individual stakes, Heartland’s general denial of wrongdoing, and the complexities of crafting a class-action settlement, individual class members cannot plausibly be expected to have significant involvement,” Rosenthal wrote.
The decision notes that “Heartland’s dispositive motions would have raised legal issues difficult for the consumer plaintiffs to overcome.”
“In this case, it is uncertain whether the consumer plaintiffs could succeed at trial, let alone reach it,” Rosenthal wrote. “Heartland’s counsel explained that they were planning to move to dismiss or, failing that, for summary judgment when counsel for the consumer plaintiffs ‘dragged us, perhaps kicking and screaming, to a settlement.'”
The settlement requires Heartland to initially place $1 million in an interest-bearing escrow account, and make additional payments as consumers lay claim to the fund. The total fund would not exceed $2.4 million.
Since Heartland received only 11 valid claims, it did not need to deposit additional funds. The settlement contains a cy-près (as near as possible) provision that calls for any remaining funds – which in this case is most of the $1 million – to be divided among three nonprofit organizations that promote relevant security. Those organizations are the Smart Card Alliance, the Secure POS Vendor Alliance and the Financial Services Information Sharing Analysis Center.
“The cy pres provision is essentially the damage award,” Rosenthal wrote. “Because no cy pres payments are to be made until class members had ample opportunity to file claims, the cy pres provision did not divert funds that class members otherwise were entitled to recover. The cy pres provision will indirectly benefit not just the class members, but all payment-card holders.”
Rosenthal further explained the function of the cy-près payments in a footnote: “In this case, it clearly is impractical to distribute the $1 million to absent class members not filing claims. It also is clearly inappropriate to divide $1 million equally among the very few class members – as few as 11 – who have filed valid claims. That would provide them a huge windfall. Allowing those class members with valid claims to receive the amount of their valid claim and then spreading any remaining unclaimed funds between the three nonprofit organizations that focus on improving payment-card security seems a reasonable, and fair, approach.”
Rosenthal noted that only one class member objected, but his argument actually defended Heartland by saying the data breach did not in fact harm consumers.
Heartland also owes $606,000 in attorneys’ fees and $35,000 for costs. Class representatives cannot claim incentive awards.
Three hackers infiltrated Heartland’s computers in December 2007 and stole 130 million debit and credit card numbers. Heartland was one of five companies that suffered such breaches from the trio of hackers, according to a 2009 indictment filed in the District of New Jersey.
One of the hackers, an American named Albert Gonzalez, is serving 20 years in prison after pleading guilty to two charges for the Heartland breach and related crimes. Upon his release, the seasoned hacker is prohibited from using a computer. The original indictment said Gonzalez worked with two hackers who “resided in or near Russia.” In a related case against Gonzalez, the hacker was indicted along with Maksym Yastremskiy, of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia