Recently, a federal district court judge dismissed the majority of claims brought by financial institutions against Heartland Payment Systems ("HPS") as a result of its 2009 data breach. The plaintiffs alleged that hackers obtained payment card numbers and expiration dates for approximately 130 million accounts as a result of the breach. The plaintiffs were financial institutions that did not participate in the Visa or MasterCard settlements.
U.S. District Judge Lee Rosenthal dismissed all claims except for the plaintiffs’ claim under the Florida Deceptive and Unfair Trade Practices Act. HPS argued that the Act only applied to consumers, but Judge Rosenthal disagreed, noting that the Act was amended in 2001 to state “person” instead of “consumer."
Judge Rosenthal dismissed the plaintiffs’ breach of contract, breach of implied contract, express misrepresentation, and negligent misrepresentation claims, and violations of California, Colorado, Illinois and Texas consumer protection and unfair competition law claims, but granted the plaintiffs leave to amend their complaint on these claims. Claims brought under the New Jersey, New York, and Washington consumer protection laws were dismissed with prejudice and without leave to amend.
As to the plaintiffs’ breach of contract claims, Judge Rosenthal ruled that the plaintiffs were not third party beneficiaries of the contracts between HPS and its acquirers. The judge found “no clearly expressed intent to convey any enforceable right to the Financial Institution Plaintiffs or to any class to which they belong.”
One of the hackers, Alberto Gonzalez, is currently serving 20 years in prison for his role in the HPS breach. HPS was one of at least five companies that suffered breaches as a result of Gonzalez’s activities. As part of his plea agreement, Gonzalez is supposed to pay HPS over $53 million in restitution.