Thursday, December 08, 2011

Bank plaintiffs mostly lose data breach-based claims against processor

In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2011 WL 6012598 (S.D. Tex.)

In January 2009, Heartland disclosed that hackers had breached its computer systems and obtained access to confidential payment-card information for over one hundred million consumers. The resulting lawsuits were consolidated; this opinion deals with financial institution plaintiffs. They filed a master complaint asserting causes of action for breach of contract and implied contract, negligence and negligence per se, negligent and intentional misrepresentation, and violations of consumer protection statutes. The court granted Heartland’s motion to dismiss with prejudice and without leave to amend for the negligence claims and for the New Jersey, New York, and Washington consumer protection law claims. The court also granted a motion to dismiss with leave to amend for the breach of contract; breach of implied contract; express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer protection law claims. The court denied Heartland’s motion to dismiss the Florida consumer protection law claim.

When consumers swipe their payment cards at merchants, the information goes from the point of sale, to an acquirer bank, across the credit-card network, to the issuer bank, and back. “Acquirer banks contract with merchants to process their transactions, while issuer banks provide credit to consumers and issue payment cards.” The acquirer bank forwards the information to the issuer bank over the network (e.g., Visa and MasterCard) for approval, which if secured leads to the issuer sending money to the acquirer, which then sends the money to the merchant. Banks often act as both issuers and acquirers, and outsource processing to other companies. Credit card networks such as MasterCard and Visa impose extensive regulations on the acquirer and issuer banks with whom they contract, and require the banks to impose these regulations on the merchants who submit transactions for processing and on the entities that process the transactions.

The financial institution plaintiffs were nine banks suing as issuers. Heartland processed merchant transactions on behalf of two acquirer banks. Heartland’s contracts with the acquirers required it to comply with the Visa and MasterCard network regulations, which trumped the terms of Heartland’s contracts with banks where the two differed.

At least as early as December 2007, three hackers infiltrated Heartland’s computer systems. In October 2008, Visa alerted Heartland to suspicious accunt activity; Heartland discovered suspicious files in its systems in January 2009, then found the program creating those files. Shortly thereafter, Heartland publicly announced the breach. The hackers got card numbers and expiration dates for 130 million accounts, and in some instances cardholder names. They didn’t get addresses, meaning that the stolen information generally could only be used in person.

Plaintiffs alleged that the breach resulted from Heartland’s failure to follow industry security standards known as PCI–DSS. They incurred significant expenses replacing payment cards and reimbursing fraudulent transactions.

I won’t go into detail on all the claims. The sticking point on most was the contracts, which didn’t make the plaintiffs into third-party beneficiaries and generally limited recovery for economic loss. Though Visa found Heartland to be in violation of its regulations, and both Visa and MasterCard fined Heartland Bank and KeyBank, the network members that had retained Heartland, the court found generally that network regulations, not tort law, were the appropriate means for any relief. With a cite to my colleague Adam Levitin, the court noted that many people have written about the fairness and effectiveness (or lack thereof) of those rules, but the plaintiffs accepted them and issued payment cards under them. Moreover, the damages sought were the kinds ordinarily expected to flow from a data breach, which could thus be addressed in contracts instead of in negligence.

Plaintiffs also alleged fraud and negligent misrepresentation under New Jersey law. Heartland’s statements in SEC filings and analyst calls, on Heartland’s logo and website allegedly suggested that its security measures were better than they were. Plaintiffs also alleged misleading nondisclosure. Heartland, by participating in the Visa and MasterCard networks, allegedly represented that it would follow the network security regulations.

Common-law fraud has five elements: (1) a material misrepresentation of a presently existing or past fact; (2) knowledge or belief by the defendant of its falsity; (3) an intention that the other person rely on it; (4) reasonable reliance thereon by the other person; and (5) resulting damages. Negligent misrepresentation requires neither intent to deceive nor knowledge that the statement is false.

FRCP 9(b) requires pleading with particularity for fraud, though the parties disputed whether the negligent misrepresentation allegations were subject to 9(b). The court found, regardless, that the allegations failed to satisfy Rule 8 under Iqbal etc.

First, Heartland argued that many of the alleged misrepresentations were mere vague and subjective puffery on which it was not reasonable to rely. The court first found that to the extent that Heartland purported to guarantee absolute data security, reliance would be unreasonable as a matter of law. Heartland's slogans—“The Highest Standards” and “The Most Trusted Transactions”—were also puffery, as were statements that Heartland used “layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information”; that it used the “state-of-the-art [Heartland] Exchange”; and that its “success is the result of the combination of a superior long-term customer relationship sales model and the premier technology processing platform in the industry today.”

One alleged misrepresentation came after the public disclosure of the breach. The website Heartland created about the breach stated that “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.” That couldn’t form the basis of a misrepresentation claim because it couldn’t have been material to banks’ and merchants’ decisions to contract with Heartland.

Heartland made other statements, such as “we have limited our use of consumer information solely to providing services to other businesses and financial institutions,” and “[w]e limit sharing of non-public personal information to that necessary to complete the transactions on behalf of the consumer and the merchant and to that permitted by federal and state laws.” But the court found that these weren’t statements about data security but rather about intentional data sharing.

However, some statements were sufficiently definite and verifiable to support a claim for negligent misrepresentation: e.g., “[w]e maintain current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access”; “we encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption”; Heartland’s “Exchange has passed an independent verification process validating compliance with VISA requirements for data security.”

Heartland argued that the complaint insufficiently alleged reliance. The court agreed, finding the allegations wholly conclusory, claiming only “justifiable reliance” and “reasonable reliance.” “It is unclear, for example, if the issuer banks' reliance was through their joining, remaining in, or withdrawing from the Visa and MasterCard networks, or what relationship the statements have to any such actions.” Thus, these claims were dismissed with leave to amend.

Implied misrepresentation: plaintiffs alleged that “by accepting and agreeing to process the credit cards and/or debit cards issued by [the Financial Institution Plaintiffs], Heartland impliedly agreed that it would adequately protect the sensitive information contained in these cards, as well as comply with applicable standards to safeguard data.” Plaintiffs alleged that Heartland knew they were relying on it for appropriate data security. The Massachusetts Supreme Judicial Court has rejected the same theory in litigation arising out of a similar data breach. It reasoned that the payment networks’ regulations explicitly provide for fines for breach of data storage requirements, showing that the system was designed with the possibility of breaches in mind. Issuers also insure themselves against fraudulent charges, anticipating breach. Thus, plaintiffs knew that data breaches could occur, notwithstanding Heartland’s contractual obligation to follow the regulations. (What about the risk that breach would occur?) Under New Jersey law, it’s unreasonable to rely on a representation when a financial arrangement exists to provide compensation if circumstances later prove that representation false.

Nondisclosure/deliberate suppression of material fact: Duties to disclose arise under New Jersey law where there’s a fiduciary relationship, where the nature of the transaction calls for perfect good faith and full disclosure, where one party expressly reposes trust and confidence in the other, or where necessary to correct a material misrepresentation. The court found that the complaint alleged insufficient facts to find a duty to disclose, though there was a possible theory for an amended complaint that, having held itself out as having adequate security, Heartland had a duty to disclose its flaws.

The court then turned to the consumer protection claims, based on the laws of the states in which the plaintiffs were based. Heartland, unusually for a defendant, sought the application only of New Jersey law, arguing that multiple states’ laws couldn’t apply to the same set of misrepresentations. But courts have applied multiple state consumer protection laws where choice of law rules produce that result.

NJCFA: A business may sue under the NJCFA, but claims are generally limited to consumer-oriented situations. Competitors generally lack standing, according to the cases found persuasive by the court here. Wholesalers aren’t protected because they don’t consume merchandise but just pass it on. Even when a business is a consumer, other factors may make the NJCFA inapplicable. The law applies only to “goods or services generally sold to the public at large.” Past cases have found such goods or services to include yachts, computer peripherals, cranes, concrete, and commercial-renovation services, but not sales of complex business franchises and custom services targeted to businesses. “The presence of large transactions or sophisticated business plaintiffs is a factor weighing against the NJCFA's applicability.”

The complaint alleged that the plaintiffs were “consumers in the marketplace for, inter alia, credit card and/or debit card transaction processing services, and have been injured in this capacity.” However, the complaint didn’t allege that the plaintiffs bought any services from Heartland. Their relationship existed because they all participated in the Visa/MasterCard networks, which the court distinguished between a “direct, downstream” relationship between a consumer and the manufacturer of a good. The network regulations explicitly contemplate the existence of third-party processors, and the plaintiffs had no control over who those would be. Moreover, payment-card processing isn’t offered to the general public, but rather to members of the networks. Network regulations offer significant protection to the plaintiffs through loss-allocation rules and a cost-recovery process, and in turn plaintiffs and other issuer banks are required to maintain fraud-detection programs. These characteristics made NJCFA coverage inappropriate.

California UCL: dismissed with leave to amend because of the same conclusory assertion of reliance discussed above.

Colorado Consumer Protection Act: dismissed with leave to amend because it referred to a subsection of the law that only covers claims about price.

Florida Deceptive and Unfair Trade Practices Act: Given specific amendments to the FDUTPA to replace “consumer” with “person” in relevant provisions and otherwise clarify that businesses could bring suits, Heartland’s motion to dismiss on lack of standing grounds was denied.

Illinois Consumer Fraud and Deceptive Business Practices Act: Dismissed without prejudice for failure to adequately allege that Heartland intended plaintiffs to rely, since its statements weren’t directed to issuer banks. “Because issuers have no direct dealings with payment-card processors, it is implausible that Heartland intended statements in documents not directed to the Financial Institution Plaintiffs to be relied on by them or by any issuer banks. The master complaint conclusorily alleges reliance, insufficient to state a claim.” Moreover, nonconsumers must show that the conduct at issue implicates consumer protection concerns to sue under the law.

New York General Business Law §349: A consumer, for § 349 purposes, is one who purchases goods and services for personal, family or household use. Complex transactions involving sophisticated parties are not generally covered under the law, which requires a consumer-oriented act. Plaintiffs didn’t count as consumers, nor was the conduct consumer-oriented under NY law since the statements at issue were about services neither marketed nor offered to individual consumers. Claim dismissed with prejudice.

Texas Deceptive Trade Practices-Consumer Protection Act: Dismissed with leave to amend because of conclusory allegations of reliance. The court didn’t rule on Heartland’s argument that the complaint failed to allege that Lone Star National Bank, the only Texas plaintiff, has less than $25 million in assets, as required to satisfy the state definition of “consumer.”

Washington Consumer Protection Act: The state law requires an effect on the public interest, which means a likelihood that additional people have been or will be injured in the same fashion. Courts consider several factors, including whether defendants advertised to the public in general and whether the parties occupied unequal bargaining positions. The court found that the complaint failed to allege sufficient facts suggesting that the claim here affected the public interest. “The only group likely to be injured in the same fashion—incurring expenses for replacement cards and fraudulent transactions—consists of other issuer banks. Such a group is both too small and too specialized to constitute a substantial portion of the public.” Plus, they had sufficient sophistication to remove them from the class subject to exploitation.

“The master complaint vaguely alleges that Heartland intended its statements to lull the public into believing that its data security was better than it actually was. That allegation is insufficient to show that a dispute between sophisticated banks that issue payment cards and the company hired by other banks to process payments for merchants affects the public interest.” Claim dismissed with prejudice.

No comments: