You Have To Have Heart(land)

by. Henry Meier

Last I talked about the Heartland litigation, it was to bemoan the dismissal of the lawsuit which a group of credit unions and banks brought against the payment processor after hackers were able to pull off one of the biggest data thefts in history.  Recently, the Court of Appeals for the Fifth Circuit revived the lawsuit, or at least put it back on life support.  It is allowing financial institutions to go forward with their claim that Heartland should be responsible for the extent to which its negligence in protecting the data cost financial institutions money.  While it is far from clear that the case will ultimately result in a settlement — it could still be dismissed on other grounds — the ruling demonstrates a common sense approach that can be taken to holding merchants and the parties with whom they contract to process their payments accountable.  The credit union industry has a huge stake in ensuring that this actually comes to fruition.

Contrary to popular belief, the law restricts negligence actions that one company can bring against another company for causing purely economic harm, although this varies widely depending on the state in which you live.  The basic idea is that companies should protect themselves from other companies’ misdeeds with well drafted contracts that specify each others obligations and the damages that will be paid when one party fails to live up to them.  The problem is that given how interconnected today’s economy is, there are an increasing number of actions taken by a company in one state that could cause foreseeable harm to a business in another even though they have no contractual relationship.  For example, your credit union never had a contract with Heartland.  But as a result of their data breach, your credit union may have been on the hook for the cost of replacing the compromised debit and credit cards, not to mention the indirect cost of being the public face of a problem for which you aren’t responsible.

The Heartland case is going forward because the court ruled that, in a narrow set of circumstances, New Jersey law permits companies to bring claims for purely economic loss suffered by one company as the result of another’s actions even without a contract.  What we need is a national law that authorizes causes of action against merchants and payment processors for the foreseeable damages they caused as a result of their negligent handling of personal data such as debit and credit card information.  This is the only way to ensure that merchants have some skin in the game when it comes to making the investments necessary to protect against data theft.  Right now, if I was a merchant the cost-benefit analysis would lead me to conclude that data theft is something for the other guy to worry about.

continue reading »