Can Business Partners Recover Damages After a Data Breach?
How to evaluate the potential costs and benefits of attempting to pursue recovery.
Recent federal court decisions in data breach cases signal that parties affected by a data breach may find it difficult to recover damages. In our Aug. 2014 column, we focused on some of the challenges that consumers face when asserting data breach claims. This month, we turn our attention to business partners affected by a data breach.
The Heartland Payment Systems data breach litigation aptly demonstrates some of the difficulties that business partners of a breached company may face when seeking to recover damages incurred as a result of the breach.
Heartland Payment Systems Inc. (Heartland) is a processor of payment-card transactions. In January 2009, Heartland publicly disclosed that hackers had breached its computer systems and obtained access to confidential payment card information for over 100 million customers, resulting in consumers and financial institutions filing suits across the nation. The cases proceeded on two tracks: one for consumer plaintiffs and one for financial institution plaintiffs. The financial institution plaintiffs included nine issuer banks (banks that provide credit to consumers and issue payment cards). The defendants were Heartland and two acquirer banks (banks that contracted with the merchants to process their transactions).
The financial institution plaintiffs sought damages resulting from the significant expenses that they incurred to replace payment cards and reimburse fraudulent transactions. They alleged that the data breach occurred because of Heartland’s failure to follow PCI-DSS security standards. Heartland’s contracts with the acquirer banks required Heartland to comply with such standards, as incorporated into applicable Visa and MasterCard network regulations. The financial institution plaintiffs alleged claims for breach of contract as well as tort-based claims for negligence, negligent and intentional misrepresentation, and violations of various states’ fraud and consumer protection statutes.
Where a direct contract exists between a breached company and its business partner, issues such as standing and the right to performance of obligations under the contract should present little challenge from a pleading standpoint. Difficulties may arise, however, for a plaintiff that has no direct contract with the breached company but, nonetheless, seeks to assert contract-based claims.
In Heartland, the financial institution plaintiffs did not have direct contracts with Heartland on which to rely. Therefore, they argued either that they were intended third-party beneficiaries of the contacts between Heartland and other entities (the acquirer banks, the merchants, and Visa and MasterCard), or that such contracts created implied agreements between them and Heartland.
The contract claims presented several hurdles to the financial institution plaintiffs. Because they had no direct contract of their own with Heartland, they were forced to rely upon other parties’ contracts, which included choice-of-law provisions that called for the application of multiple states’ laws. Many of those laws were not particularly favorable to the financial institution plaintiffs as alleged third-party beneficiaries. The end result was a dismissal of most of the financial institution plaintiffs’ contract claims.
Additionally, some of the contracts contained unfavorable provisions limiting Heartland’s liability. One contract, for example, limited Heartland’s liability to correcting data in which errors were caused. Presumably, that would preclude liability associated with hackers’ improper access to accurate data.
Moreover, the financial institution plaintiffs also were forced to deal with damages limitations provisions. One particular contract excluded consequential damages absent a willful breach of the contract; thus, the financial institution plaintiffs faced a double-edged sword of arguing in favor of a contract that had the potential to significantly limit their ability to recover damages. Excluded damages would be essentially all the damages the financial institution plaintiffs sought to recover, unless they could accomplish the difficult task of proving a “willful breach.”
The financial institution plaintiffs’ tort claims fared no better in Heartland. The financial institution plaintiffs alleged that Heartland’s breach of the following duties caused them to incur damages: (1) a duty to exercise reasonable care in safeguarding and protecting payment card information from being compromised or stolen; (2) a duty to put into place internal policies and procedures designed to detect and prevent the unauthorized dissemination of plaintiffs’ customers’ sensitive financial information; and (3) a duty to timely disclose to plaintiffs’ customers that the breach occurred and their sensitive financial information may have been compromised.
The federal district court rejected these theories, relying on the economic loss doctrine and plaintiffs’ ability to pursue breach-related relief under card network regulations and the private dispute resolution systems contained therein. The court would not permit tort claims seeking reimbursement of economic losses to serve as a substitute for the numerous contractual arrangements between card network members (the network of contracts, if you will). On appeal, the district court’s reliance on the economic loss doctrine was overturned. Under applicable New Jersey state law, the appellate court applied an exception to the economic loss rule under which New Jersey permits tort claims for economic losses by identifiable classes of plaintiffs that foreseeably would suffer such losses, particularly when no other avenue of recovery may exist.
Financial institution plaintiffs also asserted fraud and misrepresentation claims based, in large part, on statements made by Heartland in SEC filings, in analyst calls, on its logo, and on its website that suggested Heartland’s security measures were better than they actually were. The court rejected any contention by financial institution plaintiffs that Heartland’s statements and conduct amounted to a guarantee of absolute data security on which they relied.
Somewhat surprisingly, the court also deemed to be puffery or not actionable representations the following statements: “The highest standards”; “The most trusted transactions”; “Layers of state-of-the-art security, technology, and techniques to safeguard sensitive credit and debit card account information”; and “The premier technology processing platform in the industry.” Finally, the court found Heartland’s alleged post-breach representations immaterial because such representations could not have been material to the banks’ and merchants’ decisions to contract with Heartland.
On the other hand, the following statements by Heartland constituted factual representations that could have supported a claim for negligent misrepresentation, if pled properly:
- “We maintain current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access.”
- “We encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption.”
- “[Heartland’s] exchange has passed an independent verification process validating compliance with Visa requirements for data security.”
Finally, financial institution plaintiffs also asserted numerous claims under various state consumer protection and deceptive and unfair trade practices statutes. To the extent some of these statutes had been interpreted under state law as potentially offering protections even to sophisticated financial institutions, the Heartland court dismissed most for pleading-related deficiencies but did so without prejudice, with leave to amend. Therefore, plaintiffs were left with few of the claims with which they started.
When faced with losses as a result of another company’s data breach, business partners must carefully evaluate the potential costs and benefits of attempting to pursue recovery via formal litigation, especially where direct contractual privity is lacking. Absent specific contractual provisions on which to rely for recovery, business partners should expect to face a number of challenges to whatever claims that they attempt to assert.