TRENTON, N.J. (3/2/09)--Three credit unions have joined two banks in a class action lawsuit against Heartland Payment Systems, the Princeton, N.J., to recoup losses related to Heartland's recent data breach announced Jan. 20. The credit unions are: GECU, a $1.146 billion asset credit union in El Paso, Texas; MidFlorida FCU, a $1.283 billion asset credit union in Lakeland, Fla., and Matadors Community CU, a $123 million asset credit union in Chatsworth, Calif., according to documents filed in court. They join Amalgamated Bank of New York, N.Y., and Farmers State Bank, headquartered in Marcus, Iowa, in the complaint, which was filed Feb. 20 in the U.S. District Court, Trenton, N.J. by Chimicles & Tikellis LLP, Haverford Pa., the lead attorneys in the case. They are seeking to recoup money for the cost of reissuing cards to their members/customers and for their costs related to fraudulent activity stemming from the breach. The five financial institutions said in the complaint they suffered injuries from the Heartland breach. Each had to re-issue "a substantial number of credit and debit cards" to consumers whose accounts were affected by the breach. Each credit union and bank sent a letter to its members/customers informing them that their sensitive financial information was compromised and explaining the circumstances surrounding the breach at Heartland, according to the complaint. In addition, GECU incurred "substantial out-of-pocket expenses as a result of re-issuing these cards, and has received complaints from numerous members about the incident," said the document. Matadors Community CU also incurred expenses "caused by the actual misuse of sensitive financial information that was compromised" in the breach. In seeking the class action, the complaint noted that the class "consists of thousands of members dispersed across the U.S." The suit alleges that Heartland:
* Was negligent in exercising reasonable care in safeguarding and protecting the information from being compromised or stolen; that it had a duty to timely disclose the breach instead of shifting the disclosure obligation to the affect consumers of the financial institutions; and had a duty to have procedures in place to detect and prevent dissemination of sensitive information. * Breached contracts to which the financial institutions and their member/customers were third-party beneficiaries by not complying with Visa and MasterCard's operating regulations and bylaws, which set minimum standards for credit card transaction processors such as Heartland. * Breached an implied contract where the plaintiff financial institutions and their member/customers were required to provide Heartland with sensitive financial information so Heartland could provide services on their behalf. * Violated the New Jersey Consumer Fraud Act by making false and misleading statements and omissions concerning the measures it took to safeguard the sensitive information. * Engaged in negligence per se by failing to meet the minimum duty required to comply with card companies PCI standards, which requires having adequate controls in place for preventing, detecting and responding to system intrusions. * Made false communications of material fact concerning its security systems and the measures it was taking to protect the sensitive information.
Of the more than 560 financial institutions that have reported so far to Bank Information Security
that they have been impacted by the Heartland breach, 178 are credit unions. Use the resource links for more information.