But the appeals court said that while the judge was right about Texas law, Heartland could be sued under New Jersey law, where Heartland is headquartered, because the economic loss doctrine works differently there. The key issue: Except for going to court, the issuing banks had no clear way of going after Heartland to get their money back. That means the case is alive again and will return to Texas for further proceedings.
Heartland's breach, which was revealed in January 2009, involved 130 million stolen credit card numbers and is still causing issuing banks to send warnings to their customers. Uber-hacker Albert Gonzalez was sentenced in 2010 to 20 years in prison after pleading guilty to conspiracy in the breach.
But when the issuing banks and credit unions (Lone Star National Bank, Amalgamated Bank, First Bankers Trust, Pennsylvania State Employees Credit Union, Elevations Credit Union, O Bee Credit Union and Seaboard Federal Credit Union) whose card numbers were stolen went after Heartland in court, they ran up against that economic loss doctrine.
Put simply, it's the legal principle that contract lawsuits are better suited to cases of economic loss, while civil law accusations of wrongdoing or negligence are more appropriate to cases of physical harm. The economic loss doctrine "generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies," the appeals court wrote.
And while that's pretty strictly enforced under Texas law, where the case was actually brought, New Jersey's Supreme Court has opened several loopholes in the name of fairness. One is that if an injured party can't rely on a contract it actually had a part in crafting (those are the contracts that Heartland presumably had with Visa and MasterCard to be on their networks) and if the injuring party could have foreseen a group that would have been hurt by its negligence, then the non-contract economic loss case can go forward anyway.
"Heartland had reason to foresee the issuer banks would be the entities to suffer economic losses were Heartland negligent," the appeals panel wrote. "The identities, nature, and number of the victims are easily foreseeable, as the Issuer Banks are the very entities to which Heartland sends payment card information...Accordingly, even absent physical harm, Heartland may owe the Issuer Banks a duty of care and may be liable for their purely economic losses."
And those Heartland contracts that might have subjected the issuing banks to Visa's and MasterCard's own processes? "It is not clear whether Heartland's contracts with the Acquirer Banks, which require Heartland to comply with Visa and MasterCard rules and regulations, provide the Issuer Banks with compensation mechanisms for losses that may be caused by Heartland's negligence," the judges wrote. "Further, it is unclear whether Heartland has contracts with Visa and MasterCard, let alone what the contents of such contracts may be. Though the district court permitted some discovery on the existence of these contracts at the motion to dismiss stage, the results were inconclusive and thus do not aid our inquiry."
That doesn't mean the issuing banks will win their case against Heartland. It just means their case can't be thrown out at an early stage, the way it was by the federal court in Texas.
All this may sound like obscure legal tap-dancing. After all, Heartland's breach is ancient history and besides, it's a processor, not a merchant.
But merchants get breached all the time. And at the same time that card brands' ability to levy PCI fines is under assault in court, issuing banks are gaining traction in their efforts to sue in breach cases even without involving Visa or MasterCard. Retailers may be in the process of exchanging fines from Visa for lawsuits from all the banks whose card numbers were stolen.