Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs misled the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not.
The Heartland incident that prompted the lawsuit started in December 2007 when a group of cyberthieves led by Albert Gonzalez (who just this month agreed to plead guilty to breaking into Heartland's servers) broke into Heartland's payroll system via a SQL attack. Heartland's people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.
But what Heartland's people didn't know at the time, Thompson wrote in her decision, was that Gonzalez's team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.
What is known is that the payment processing attack was quite effective. Thompson said that 130 million credit and debit card numbers were stolen in 2008 and that Heartland officials didn't figure out what was going on until mid-January 2009. It disclosed the credit card breach about a week later.
Heartland's stock price plunged. "Following this disclosure and subsequent disclosures about the possible impact that the thefts might have on Heartland’s business, Heartland’s stock price dropped from more than $15 per share on January 19 to $5.34 per share by February 24," Thompson wrote. "If measured from its highest price during 2008, Heartland’s stock suffered a total decline in value of almost 80 percent. Plaintiffs, who purchased stock during 2008, suffered significant losses as a result of this decline in value."
The lawsuit said that Heartland executives lied about what they knew about the attacks in earnings conference calls and in federal SEC filings.
"Plaintiffs contend that when asked about security incidents that occurred in 2007, Defendants concealed the SQL attack. They also contend that Defendants made statements to the effect that Heartland had adequate security systems and that Heartland took the issue of computer network security very seriously," the judge wrote. "Plaintiffs argue that these statements concerning the general state of security at Heartland are fraudulent because (CEO Robert) Carr and (CFO Robert) Baldwin were aware that Heartland had poor data security and had not remedied the problem."
The judge discussed the exchange on the Feb. 13, 2008, earnings call. "During the conference call, Carr and Baldwin discussed certain information technology and security expenditures that Heartland made during the last quarter of 2007. These general remarks prompted a couple analysts to ask whether there was any specific security incident that prompted Heartland to make those expenditures, to which Defendants basically answered, 'No.' Plaintiffs allege that this was untruthful because it conceals the fact that Heartland suffered the SQL attack."But Thompson reviewed the full audio of that conference call and sided with Heartland. "Careful attention to context demonstrates that Defendants’ statements and omissions on this conference call are not fraudulent. The analysts’ questions concerned certain expenditures that Heartland made during the fourth quarter of 2007. Obviously, any incident that prompted those expenditures would have occurred before the expenditures were made. The SQL attack occurred on December 26, far too late in the quarter to have been the cause for the million-plus dollar expenditure that was the subject of the analysts’ questions," she said in her decision. "If the analysts had simply asked 'Did you suffer a security lapse in fourth quarter 2007?' then Defendants’ answers might very well have been misleading. But the analyst was specifically asking whether Heartland suffered a security incident that caused the large fourth quarter IT expenditure. Since the SQL attack did not cause the fourth quarter security expenditure, Defendants answered truthfully when they answered in the negative."
Thompson also discussed another exchange on that call, one where the CFO compared Heartland to the infamous TJX data breach. "Plaintiffs allege that Defendant Baldwin made one other misrepresentation on the February 13 conference call—the following statement: 'With IT security, you’re either pregnant or you’re not. And I think it would be irresponsible for us to know that we have vulnerabilities in our system where we could have something really bad happen that would put the Company in a TJ Maxx position. Now, fortunately, we’ve never had anything close to that happen, but we could see a scenario where that could have happened. We don’t see that anymore.'"
The judge said that the plaintiff "argues that this statement is untrue because Heartland had in fact suffered a significant security breach—the SQL attack. However, this Court does not read the above paragraph as concealing that fact. A 'TJ Maxx position' presumably refers to an incident in 2005 when hackers breached the (TJX) computer network and gained information on 45 million credit and debit card accounts. As of February 2008, hackers had not stolen any credit card information from Heartland. So at the time the above statement was made, Heartland had not suffered the sort of security problem to which Baldwin was alluding. In other words, in the above-quoted passage, Baldwin was talking about security breaches that resulted in major financial problems. There are no allegations to the effect that, as of February 2008, Heartland had suffered any major headline-making problems of the sort T.J. Maxx experienced in 2005. Furthermore, Baldwin did not categorically assert that Heartland had never suffered any security problems. He merely stated that Heartland had not suffered anything 'close to' what (TJX) had suffered. His statement was therefore truthful."Thompson also ruled that a retailer can say it has strong security without meaning that it is invulnerable to any attack. "The fact that a company has suffered a security breach does not demonstrate that the company did not 'place significant emphasis on maintaining a high level of security.' It is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome. In fact, given all the money that Heartland spent on security in late 2007 and the fact that Heartland did take steps to fix its security after the SQL breach, the latter explanation seems much more plausible," she wrote. "The fact that a company faces certain security problems does not of itself suggest that the company does not value data security."
The investor plaintiffs also argued that the testimony of multiple Heartland employees stating that Heartland had cut far too many security corners was insufficient. "One former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement 'We place significant emphasis on maintaining a high level of security' false. Furthermore, the cautionary statements in the Form 10-K—warning of the possibility of a breach and the consequences of such a breach—make clear that Heartland was not claiming that its security system was invulnerable," the judge ruled. "The facts alleged in the complaint do not support an inference that Heartland did not make serious efforts to protect its computer network from security breaches. Furthermore, the 10-K did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred. Therefore, the statements in the 10-K were not false or misleading."
She added: "According to the Complaint, the only people at Heartland who believed that the company had not adequately addressed the SQL attack were the former Senior Developer quoted above, another Senior Developer named George Duke and a former Business Analyst. Furthermore, none of these people is alleged to have expressed any reservations about security until after the credit card theft was discovered in January 2009. This after-the-fact speculation by a handful of lower level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns."
The judge also ruled that Heartland could have disclosed the earlier breach and, had it done so, it could have been considered material information. But Thompson added that the processor had no legal obligation to have done so. "There is no general duty on the part of issuers to disclose every material fact to investors," she said. "Since (Heartland executives) are not alleged to have made any misleading statements, they never had a duty to disclose the 2007 breach."