"While we have determined that the Processing System Intrusion has triggered a loss contingency, to date an unfavorable outcome is not believed by us to be probable on those claims that are pending or have been threatened against us, or that we consider to be probable of assertion against us, and we do not have sufficient information to reasonably estimate the loss we would incur in the event of an unfavorable outcome on," Heartland reported. "As more information becomes available, if we should determine that an unfavorable outcome is probable on such a claim and that the amount of such unfavorable outcome is reasonably estimable, we will record a reserve for the claim in question any such claim."
The Form 10-K also listed a wide range of agencies probing the breach, including quite a few whose Heartland probes had not been public. The list now includes the Federal Financial Institutions Examination Council, the Federal Trade Commission, the Louisiana Department of Justice Office of the Attorney General, the Canadian Privacy Commission and quite a few state Attorneys General.
Heartland also referenced Visa's decision last week to remove Heartland from the PCI compliant list.
Heartland in the document confirmed the Visa move and added a critical piece of new information. Visa had said that Heartland was suspended until they could be recertified. Heartland's SEC filing said that Visa intends to keep Heartland as "probationary" for two years after they've been recertified, during which time they would risk "our disconnection from VisaNet or our disqualification from the Visa payment system."