Heartland Bank and Keybank's Motion to Dismiss
As we reported in January, a handful of issuing banks had filed suit against two merchant banks (Heartland Bank and Keybank) for alleged losses (e.g. reissuance and fraud costs) they suffered due to the 2009 Heartland Payment Systems breach.
The general thrust of the class action compliant is that the merchant banks should be liable for the acts and errors of the payment processor they contracted with to process payments on their behalf. The complaint set forth a series of complex legal theories (3rd party beneficiary theory, negligence), some of which had been attempted in other litigation, and some new theories of liability such as breach of fiduciary duty and vicarious liability.
Each merchant bank has now filed a motion to dismiss the issuing banks' complaint. We have obtained copies of the motion and corresponding briefs.
Do the New EU Processing Clauses Apply to You?
A new set of EU standard contract clauses (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
Continue Reading...Who is Minding the Legal Risk Around PCI?
An article I did for the ISSA Journal: Who is Minding the Legal Risk Around PCI?
Heartland Payment Systems Sued By Banks
Heartland Payment Systems has been sued in multiple lawsuits by various banks or credit unions that have had to reissue payment cards in the wake of the Heartland breach.
Continue Reading...The New Path to PCI Liability: 3rd Party Beneficiary Theory
Merchants face a potentially huge liability if they suffer a security breach exposing payment card data. Issuing banks (those banks that issue credit cards to consumers) have filed lawsuits to recover reissuiance costs allegedly ranging from $20-$50 per card (multiplied by thousands or millions of cards depending on the magnitude of the breach). A recent decision from the U.S. Court of Appeals for the Third Circuit ("3rd Circuit" or "Appellate Court") appears to have expanded the potential liability merchants face for payment card security breaches. Continue Reading...
TJX Motion to Dismiss Bank's Claims
I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link
Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.
However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.
While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.
