Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security
Written by Evan SchumanA federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.
Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs misled the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not.
The Heartland incident that prompted the lawsuit started in December 2007 when a group of cyberthieves led by Albert Gonzalez (who just this month agreed to plead guilty to breaking into Heartland’s servers) broke into Heartland’s payroll system via a SQL attack. Heartland’s people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.
But what Heartland’s people didn’t know at the time, Thompson wrote in her decision, was that Gonzalez’s team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.
What is known is that the payment processing attack was quite effective. Thompson said that 130 million credit and debit card numbers were stolen in 2008 and that Heartland officials didn’t figure out what was going on until mid-January 2009. It disclosed the credit card breach about a week later.
Heartland’s stock price plunged. “Following this disclosure and subsequent disclosures about the possible impact that the thefts might have on Heartland’s business, Heartland’s stock price dropped from more than $15 per share on January 19 to $5.34 per share by February 24,” Thompson wrote. “If measured from its highest price during 2008, Heartland’s stock suffered a total decline in value of almost 80 percent. Plaintiffs, who purchased stock during 2008, suffered significant losses as a result of this decline in value.”
The lawsuit said that Heartland executives lied about what they knew about the attacks in earnings conference calls and in federal SEC filings.
“Plaintiffs contend that when asked about security incidents that occurred in 2007, Defendants concealed the SQL attack. They also contend that Defendants made statements to the effect that Heartland had adequate security systems and that Heartland took the issue of computer network security very seriously,” the judge wrote. “Plaintiffs argue that these statements concerning the general state of security at Heartland are fraudulent because (CEO Robert) Carr and (CFO Robert) Baldwin were aware that Heartland had poor data security and had not remedied the problem.”
The judge discussed the exchange on the Feb. 13, 2008, earnings call. “During the conference call, Carr and Baldwin discussed certain information technology and security expenditures that Heartland made during the last quarter of 2007. These general remarks prompted a couple analysts to ask whether there was any specific security incident that prompted Heartland to make those expenditures, to which Defendants basically answered, ‘No.’ Plaintiffs allege that this was untruthful because it conceals the fact that Heartland suffered the SQL attack.”
-Marc
December 12th, 2009 at 2:59 pm
As far as I know, the SEC investigation is still underway, and an indictment would certainly see this lawsuit revisited, perhaps in another jurisdiction – either where a plaintiff resides, where a data center is located, or Cal-litigate-afornia, where it fairly easy to sue anyone.
The judge’s opinion was strong regarding the likelihood that Carr and Baldwin will be sanctioned for misleading statements to investors, but it certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.
The dismissal also does little to undermine charges of possible insider trading by HPS executives, the crux of the SEC investigation.
And let us not forget that more financial impact form the breach cleanup is to be expected, which already had Heartland backpedaling on their last quarterly earnings statement to the tune of nearly $80M.
The ruling was definitely a victory for Heartland, but potential liabilities still threaten the company’s viability, with a their market cap at about $430m.
If Heartland’s liabilities begin to approach the $200m to $250m range, Heartland could likely file for BK. We certainly have not heard the last of this breach.
December 12th, 2009 at 4:50 pm
Anthony is clearly correct that anyone can sue anyone for anything in this country and the SEC can probe almost anything it wants. But whether or not you happen to agree with the federal judge’s decision in this case, her decision was clearly articulate. In other words, she laid out her thinking and evidence for all to see, so observers can judge for themselves whether the ruling has merit.
But I do take slight exception to Anthony’s comment that the judge’s ruling “certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.” Actually, it did indeed dismiss that. That was the basis of her ruling, that she saw no material information deliberately withheld from anybody. You can certainly disagree with her conclusion but you can’t say that she didn’t dismiss that scenario. She clearly did.
December 12th, 2009 at 5:06 pm
Very true – and I should clarify by saying that given the outcome of the SEC investigation, Heartland executives could very well face a charge of withholding material information both criminally and in civil litigation.
The judges decision is not based on all the facts and information that may be available after the SEC weighs in, but is based on the facts and arguments presented in the plaintiffs complaint, which was dismissed.
And a dismissal is not an acquittal. It does not necessarily reflect on the validity of the allegations per se, as much as it is a ruling on the validity of the complaint as filed.
I would not rule anything out yet.
December 12th, 2009 at 10:49 pm
It’s absolutely fair to say that an SEC probe could easily be aware of things that the a civil lawsuit judge may not.
But, to be fair, a dismissal in a federal civil lawsuit is more significant than you’re suggesting. It either indicates a lack of validity to the complaint or VERY bad counsel filing that complaint. The threshold to have a civil lawsuit proceed to trial is quite low in the U.S., and I’ve covered enough ludicrous civil trials to know that all too well.
For a judge–especially a federal judge–to dismiss a lawsuit, the judge pretty much has to conclude that the accusations and support points made are absolutely without merit. In this instance, the complaint didn’t even support its own accusations. It’s not like the plaintiffs accused Heartland of XXXX and Heartland disputed it with documents or a witness. The judge looked at the plaintiff’s own claims and concluded that they weren’t making a good enough case to even go to trial.
Again, Anthony, I’m agreeing with you that an SEC probe could go in a different direction, but let’s not make light of a federal judge ordering a complete dismissal with prejudice. That’s not something that happens every day.
December 13th, 2009 at 12:04 am
Agreed!