You Have To Have Heart(land)

September 10, 2013 at 7:07 am Leave a comment

Last I talked about the Heartland litigation, it was to bemoan the dismissal of the lawsuit which a group of credit unions and banks brought against the payment processor after hackers were able to pull off one of the biggest data thefts in history.  Recently, the Court of Appeals for the Fifth Circuit revived the lawsuit, or at least put it back on life support.  It is allowing financial institutions to go forward with their claim that Heartland should be responsible for the extent to which its negligence in protecting the data cost financial institutions money.  While it is far from clear that the case will ultimately result in a settlement — it could still be dismissed on other grounds — the ruling demonstrates a common sense approach that can be taken to holding merchants and the parties with whom they contract to process their payments accountable.  The credit union industry has a huge stake in ensuring that this actually comes to fruition.

Contrary to popular belief, the law restricts negligence actions that one company can bring against another company for causing purely economic harm, although this varies widely depending on the state in which you live.  The basic idea is that companies should protect themselves from other companies’ misdeeds with well drafted contracts that specify each others obligations and the damages that will be paid when one party fails to live up to them.  The problem is that given how interconnected today’s economy is, there are an increasing number of actions taken by a company in one state that could cause foreseeable harm to a business in another even though they have no contractual relationship.  For example, your credit union never had a contract with Heartland.  But as a result of their data breach, your credit union may have been on the hook for the cost of replacing the compromised debit and credit cards, not to mention the indirect cost of being the public face of a problem for which you aren’t responsible.

The Heartland case is going forward because the court ruled that, in a narrow set of circumstances, New Jersey law permits companies to bring claims for purely economic loss suffered by one company as the result of another’s actions even without a contract.  What we need is a national law that authorizes causes of action against merchants and payment processors for the foreseeable damages they caused as a result of their negligent handling of personal data such as debit and credit card information.  This is the only way to ensure that merchants have some skin in the game when it comes to making the investments necessary to protect against data theft.  Right now, if I was a merchant the cost-benefit analysis would lead me to conclude that data theft is something for the other guy to worry about.

Well, we are the other guy and I hope that credit unions and banks can jointly push for common sense reforms that put the cost and obligation of preventing data breaches on the parties most responsible for them.  Right now, that simply isn’t the case.

Entry filed under: Advocacy, Legal Watch. Tags: , , , .

The Words NCUA Won’t Let You Say FHA Insurance Creating “Subprime” Loans

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 445 other followers

Archives