Privacy & Cybersecurity Law Blog

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers.  Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat.  Later, in 2008, the hackers used the injected code to steal millions of payment card numbers.  Heartland did not discover the theft until January 2009.

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking.  For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.”  The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.”

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.”

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”