Issuing Banks File Class Action Suit Against Acquiring Banks in Heartland Breach Matter
In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa. This appears and to be an attempted end-run around the proposed $60 million settlement with Visa. It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. We will have more analysis of the complaint at a later day. In light of the relative lack of success issuing banks have had in these types of cases, it will be very interesting to analyze the legal theories employed by the issuing banks and track the progress of this matter.
Quickhits: Heartland Settles With Visa for $60 Million
Read all about it here. Note, analyst Avivah Litan of Gartner indicated the "this seems like a very fair settlement, and it seems like Heartland escaped the tremendous costs that TJX incurred - $139 million plus - despite the fact that Heartland's breach was more extensive." In reality TJX settled with Visa for $41 million, and the $139 million figure (wherever she got it from -- this article from June 2009 claims TJX expended $320 million) likely includes both the Visa and Mastercard settlement amounts PLUS the costs and expenses to defend the numerous actions filed against TJX. At this point I doubt that Ms. Litan (or anybody else except Heartland) knows how much Heartland has incurred in expenses to defend the numerous lawsuits and regulatory actions it is facing.
Quickhits: Security in the Ether; Countrywide Settles Data Breach Case
Happy New Decade (2010)! Unbelievably another decade is gone. Information law developments continue to occur at an increasingly fast pace. The InfoLawGroup is catching up from a very busy December, so we will start out the 2010 blogging with a couple quick hits.
Security in the Ether. A very nice article by David Talbot on the security challenges, myths and misperceptions around Cloud computing. The challenge for security pros and lawyers: what is "reasonable security" in the Cloud, how do you perform your "due diligence," how do you document your due diligence process for use in the event of a breach, litigation or a regulatory action, and how do you draft and negotiate contracts for Cloud-based services?
Judge Preliminarily Approves Countrywide Data Breach Lawsuit Settlement. Faced with 35 lawsuits (many of them class actions) arising out of a security breach exposing the records of millions of customers, Countrywide Financial Corp. has chosen to settle. The settlement includes an offer of one year of credit monitoring for up to 17 million people. In addition, customers that suffered identity theft may recover up to $50,000, but only if they actually lost something of value, were not reimbursed and the theft stemmed from the Countrywide breach. Assuming a 20% redemption rate and a cost of $5-$15 per year for credit monitoring, the credit monitoring alone could cost from $17 million to $51 million (probably on the lower end of the scale -- Countrywide should be able to negotiate favorable credit monitoring rates considering the potential volume). Additional costs that Countrywide had to incur include legal fees and breach notice expenses (assuming breach notice laws were triggered). Does this settlement (and others I am aware of other settlements that have been less publicized) indicate a growing fear that the "damages" wall is weakening?
