This is page 3 of:
Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security
Thompson also ruled that a retailer can say it has strong security without meaning that it is invulnerable to any attack. “The fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security.’ It is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome. In fact, given all the money that Heartland spent on security in late 2007 and the fact that Heartland did take steps to fix its security after the SQL breach, the latter explanation seems much more plausible,” she wrote. “The fact that a company faces certain security problems does not of itself suggest that the company does not value data security.”
The investor plaintiffs also argued that the testimony of multiple Heartland employees stating that Heartland had cut far too many security corners was insufficient. “One former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false. Furthermore, the cautionary statements in the Form 10-K—warning of the possibility of a breach and the consequences of such a breach—make clear that Heartland was not claiming that its security system was invulnerable,” the judge ruled. “The facts alleged in the complaint do not support an inference that Heartland did not make serious efforts to protect its computer network from security breaches. Furthermore, the 10-K did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred. Therefore, the statements in the 10-K were not false or misleading.”
She added: “According to the Complaint, the only people at Heartland who believed that the company had not adequately addressed the SQL attack were the former Senior Developer quoted above, another Senior Developer named George Duke and a former Business Analyst. Furthermore, none of these people is alleged to have expressed any reservations about security until after the credit card theft was discovered in January 2009. This after-the-fact speculation by a handful of lower level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.”
The judge also ruled that Heartland could have disclosed the earlier breach and, had it done so, it could have been considered material information. But Thompson added that the processor had no legal obligation to have done so. “There is no general duty on the part of issuers to disclose every material fact to investors,” she said. “Since (Heartland executives) are not alleged to have made any misleading statements, they never had a duty to disclose the 2007 breach.”
-Marc
December 12th, 2009 at 2:59 pm
As far as I know, the SEC investigation is still underway, and an indictment would certainly see this lawsuit revisited, perhaps in another jurisdiction – either where a plaintiff resides, where a data center is located, or Cal-litigate-afornia, where it fairly easy to sue anyone.
The judge’s opinion was strong regarding the likelihood that Carr and Baldwin will be sanctioned for misleading statements to investors, but it certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.
The dismissal also does little to undermine charges of possible insider trading by HPS executives, the crux of the SEC investigation.
And let us not forget that more financial impact form the breach cleanup is to be expected, which already had Heartland backpedaling on their last quarterly earnings statement to the tune of nearly $80M.
The ruling was definitely a victory for Heartland, but potential liabilities still threaten the company’s viability, with a their market cap at about $430m.
If Heartland’s liabilities begin to approach the $200m to $250m range, Heartland could likely file for BK. We certainly have not heard the last of this breach.
December 12th, 2009 at 4:50 pm
Anthony is clearly correct that anyone can sue anyone for anything in this country and the SEC can probe almost anything it wants. But whether or not you happen to agree with the federal judge’s decision in this case, her decision was clearly articulate. In other words, she laid out her thinking and evidence for all to see, so observers can judge for themselves whether the ruling has merit.
But I do take slight exception to Anthony’s comment that the judge’s ruling “certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.” Actually, it did indeed dismiss that. That was the basis of her ruling, that she saw no material information deliberately withheld from anybody. You can certainly disagree with her conclusion but you can’t say that she didn’t dismiss that scenario. She clearly did.
December 12th, 2009 at 5:06 pm
Very true – and I should clarify by saying that given the outcome of the SEC investigation, Heartland executives could very well face a charge of withholding material information both criminally and in civil litigation.
The judges decision is not based on all the facts and information that may be available after the SEC weighs in, but is based on the facts and arguments presented in the plaintiffs complaint, which was dismissed.
And a dismissal is not an acquittal. It does not necessarily reflect on the validity of the allegations per se, as much as it is a ruling on the validity of the complaint as filed.
I would not rule anything out yet.
December 12th, 2009 at 10:49 pm
It’s absolutely fair to say that an SEC probe could easily be aware of things that the a civil lawsuit judge may not.
But, to be fair, a dismissal in a federal civil lawsuit is more significant than you’re suggesting. It either indicates a lack of validity to the complaint or VERY bad counsel filing that complaint. The threshold to have a civil lawsuit proceed to trial is quite low in the U.S., and I’ve covered enough ludicrous civil trials to know that all too well.
For a judge–especially a federal judge–to dismiss a lawsuit, the judge pretty much has to conclude that the accusations and support points made are absolutely without merit. In this instance, the complaint didn’t even support its own accusations. It’s not like the plaintiffs accused Heartland of XXXX and Heartland disputed it with documents or a witness. The judge looked at the plaintiff’s own claims and concluded that they weren’t making a good enough case to even go to trial.
Again, Anthony, I’m agreeing with you that an SEC probe could go in a different direction, but let’s not make light of a federal judge ordering a complete dismissal with prejudice. That’s not something that happens every day.
December 13th, 2009 at 12:04 am
Agreed!