The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its "lack of Payment Card processing system security; its desire to use a 'lowest bidder' system of selecting its outsourced IT 'auditors'; its reliance on a 'snapshot' telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland's) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system."
The lawsuit also referenced Heartland's initial response to the attack. "Thirteen months later, the 'clean up' efforts would be seen for what they were—worthless." (Pause. But other than that, Mrs. Lincoln, how was the play?)
Lawyers behind the new class-action attempt are painting the settlement as inadequate and implying that it lets Heartland and some Heartland partners off too easily. "There were more than 86 million Visa payment cards compromised by the data breach," said Attorney Mike Caddell. "Once a financial institution factors in the costs it incurred to cancel and reissue the payment cards and the unauthorized charges it was forced to absorb, its share of the settlement most likely will be pennies on the dollar."
But the attorneys saved some of their most direct comments for Heartland's bank partners. "Perhaps the most egregious aspect of the proposed settlement is that Heartland's acquiring banks—KeyBank and Heartland Bank—which also are potentially liable for the data breach damages, will receive a complete release of any liability even though they are contributing little, if anything, to the settlement," said Interim Co-lead Counsel Richard Coffman. "The majority of the settlement funds are provided by Heartland, which is downplaying its ability to pay any more money. Yet, KeyBank has $97 billion of assets and Heartland Bank has over $1 billion of assets, which suggests that there are additional sources of money to compensate the issuers for their damages."
Coffman pushed this point a bit further and started to question Visa's agenda."It certainly makes one wonder," Coffman said, "why Visa would secretly negotiate a settlement on behalf of its issuers that lets the two richest potentially culpable parties off the hook with little, if any, financial investment and then force its issuers to decide within two weeks whether to accept the deal."
Added Coffman: "If I were an executive of a financial institution harmed by the Heartland data breach, I would seriously question whether Visa truly has the best interests of its network members at heart."
Somehow, I don't think any entity that's worked with Visa ever thought—even briefly—that Visa has the best interests of others at heart. That's no knock against Visa. This is the heart of the financial world, and altruism simply isn't expected.
Another attorney involved in the class-action filing, Joe Sauder, tried to make distinctions between the Heartland case the TJX case.
"In the informational Webinars conducted by Visa, the issuers have been told that this settlement is similar to the one in the TJX data breach case, where approximately 97 percent of the financial institutions elected to participate. Visa and Heartland, however, omit some important information," Sauder said. "The Visa settlement in TJX occurred when that case was in a very different stage in the litigation."
In the TJX case, Sauder said, the settlement offer "was late in the case and the court had issued opinions denying the issuers' motion for class certification and narrowing their legal claims, which meant, as a practical matter, there was no viable alternative for the issuers but to accept the settlement or file individual lawsuits. Also, prior to the settlement, TJX produced over 500,000 pages of documents."
Sauder contrasted that with Heartland's case. "Here, on the other hand, it is early in the case and there has been no formal discovery. There also are other important factual differences between TJX and the Heartland case," he said. "In our view, the proposed Visa settlement clearly is designed to circumvent the safeguards inherent in the judicial process."