Visa Deal Pushes Heartland Breach Settlement Costs (So Far) To $65 Million

A settlement with Visa announced Friday (Jan. 8) will require Heartland Payment Systems (HPS) to pay $59.22 million to compensate Visa card issuers for costs they incurred as a result of Heartland's massive 2007 data breach. The Visa settlement follows two other recent agreements, one with American Express and another with a group of breach-affected cardholders, and it will bring Heartland's breach-related settlement compensation tab to about $65 million.

But the bleeding won't stop there. HPS has yet to reach agreements with Discover, MasterCard or others.

The Visa agreement, described in a filing with the Federal Securities Exchange Commission (SEC), calls for HPS to take out a $53 million loan to help it pay $59.22 million to Heartland Bank and KeyBank National Association, two of its sponsor banks. Visa will pay back to the banks $780,000 in fines it collected from them after the breach.

The massive intrusion, which touched 130 million cards, began in December 2007 and wasn't discovered until January 2009. It was supposedly masterminded by Albert Gonzalez of Miami.

"The settlement amount represents a significant recovery to Visa issuers for losses they may have suffered from the Heartland data security breach," said Visa and Heartland in a statement, stressing that not only will all U.S. card issuers be eligible to receive a portion of the recovery but international issuers of accounts that Visa "considered to have been placed at risk of compromise" will also be included.

Visa and Heartland pointed out the settlement agreement must be approved by at least 80 percent of the affected card issuers. In the statement, Visa's chief enterprise risk officer, Ellen Richey, said Visa believes the issuers "will benefit by participating in this settlement program because it offers an immediate recovery with respect to losses they may have incurred." Heartland CEO Bob Carr, in the same statement, said he believes the settlement with Visa is a fair one that "helps issuers obtain a recovery."

The settlement between Heartland and American Express, announced in mid-December, calls for Heartland to pay Amex $3.6 million. It was described by Heartland as being "the first agreement with a card brand" relating to the data breach. Additionally, Heartland agreed to settle consumer cardholder class action lawsuits that were consolidated in U.S. District Court for the Southern District of Texas. Under the terms of the settlement, Heartland will pay $1 million to $2.4 million "to class members who submit valid claims for losses as a result of the intrusion."

The settlement is limited to people who had payment cards used in the U.S. between Dec. 6, 2007 and Dec. 31, 2008 "and who allege or may allege they suffered losses" due to the breach at Heartland. Heartland also agreed to pay all costs associated with the administration of the settlement, including up to $1.5 million for sending notices to class members and up to $760,000 of the attorneys’ fees and costs.

One tidbit, buried in a statement about the settlement, notes that Heartland will "submit the report of an independent expert" regarding its actions and plans "to enhance the security of its computer system" since the breach was disclosed. Heartland reserved the right to cancel the agreement if more than 2,500 people submit bona-fide requests to be excluded from the class members or if it will cost more than $1.5 million to send notices about the settlement.