In Re: Heartland Payment Systems Inc. Customer Data Security Breach Litigation
| Decision Date | 31 March 2011 |
| Docket Number | Civil Action No. H-10-171,MDL No. 2046 |
| Parties | In Re: Heartland Payment Systems, Inc. Customer Data Security Breach Litigation <br> This filing relates to: FINANCIAL INSTITUTION TRACK LITIGATION <br> LONE STAR NATIONAL BANK, N.A., et al., Plaintiffs, v. HEARTLAND BANK and KEYBANK, N.A., Defendants. |
| Court | U.S. District Court — Southern District of Texas |
OPINION TEXT STARTS HERE
This case arises out of a criminal intrusion into the database of Heartland Payment Systems, which processes credit-card transactions.1 In January 2009, Heartland Payment Systems discovered that a hacker had penetrated its database and accessed millions of credit-card numbers. The Judicial Panel on Multidistrict Litigation ("JPML") consolidated lawsuits arising out of the breach before this court. The lawsuits are divided into two tracks: one for consumers whose credit-card numbers were accessed and one for the financial institutions that issued the cards. There are two complaints on the financial institution track. One complaint is filed by a number of financial institutions2 and names Heartland Payment Systems as the defendant.3 The second complaint names Heartland Bank and KeyBank as the defendants. These two banks hired Heartland Payment Systems to process credit-card transactions for merchants that accepted Visa and MasterCard credit cards. Five of the financial institutions that sued Heartland Payment Systems—Lone Star National Bank, PBC Credit Union, O Bee Credit Union, Seaboard Federal Credit Union, and Pennsylvania State Employees Credit Union (the "Financial Institution Plaintiffs") — assert causes of action against Heartland Bank and KeyBank for breach of contract, breach of fiduciary duty, and negligence, principally based on these defendants' alleged failure to monitor the security of the Heartland Payment Systems database. This Memorandum and Order addresses the Financial Institution Plaintiffs' claims against Heartland Bank and KeyBank.
Heartland Bank has moved to dismiss under Rule 12(b)(6) for failure to state a claim on which relief can be granted and under Rule 12(b)(2) for lack of personal jurisdiction. (Docket Entry No. 26).4 KeyBank has moved to dismiss under Rule 12(b)(6). (Docket Entry No. 28). The Financial Institution Plaintiffs have responded, (Docket Entry No. 36), and Heartland Bank and KeyBank have replied, (Docket Entry Nos. 39, 40). Based on the record; the motions, response, and replies; and the relevant law, this court grants Heartland Bank's motion to dismiss under Rule 12(b)(2) but concludes that transfer, not dismissal, is the appropriate remedy. This court also grants KeyBank's motion to dismiss under Rule 12(b)(6), with leave to amend as to some, but not all, of the claims. A status conference is set for April 18, 2011, at 8:45 a.m.
The reasons for these rulings are explained below.
In January 2010, a major breach of the Heartland Payment Systems database was discovered. Albert Gonzalez and fellow hackers obtained millions of credit-card numbers from the database before Heartland Payment Systems detected and fixed the security problem. Gonzalez was later convicted and is currently serving a prison sentence.
The Financial Institution Plaintiffs are credit-card issuers. They allege that the data breach caused them to incur expenses in the form of fraudulent charges from the stolen credit-card numbers and of the costs to cancel and reissue credit cards. The two defendant banks, Heartland Bank and KeyBank, hired Heartland Payment Systems to process credit-card transactions for merchants that accepted Visa and MasterCard credit cards.
The Visa and MasterCard networks are similar. Issuer banks, such as the Financial Institution Plaintiffs, issue credit cards to consumers. Acquirer banks, such as Heartland Bank and KeyBank, process payments for the merchants who make credit-card sales. When a consumer makes a credit-card purchase, the merchant swipes the card, sending a message to the acquirer bank. The acquirer bank then contacts the issuer bank to determine whether sufficient credit exists in the account. If so, the issuer bank clears the transaction, relays the message to the acquirer bank, which notifies the merchant. On a daily basis, the issuer bank forwards payment to the acquirer bank, which deposits the payment into the merchant's account.
Under Visa and MasterCard network regulations, only an FDIC-regulated financial institution may be an issuer or acquirer bank. (Docket Entry No. 1, ¶ 88). These banks are referred to as "members." A member may act in both issuer and acquirer roles, issuing credit to consumers and processing payments for merchants. Acquirer banks may outsource some of the processing functions to other companies. (Id.). The Visa and MasterCard regulations require acquirer banks that enter into contracts with companies to handle processing functions to include the relevant network regulations in those contracts. (Id., ¶ 27). The regulations, along with FDIC guidance, include security measures to protect the confidentiality of consumers' financial data. (Id.). The Visa and MasterCard regulations also include procedures for issuer banks to claim damages resulting from a data breach and to resolve disputes relating to such a claim.
Visa's "Account Data Compromise Recovery" process allows Visa to determine the money involved in an event compromising an account, collect from the responsible member, and reimburse members who have incurred losses as a result of the event. (Docket Entry No. 28, Ex. B, ¶ 4.1.A). A member may invoke this process if the breach occurs after an event "involving non-compliance with the Payment Card Industry Data Security Standard." (Id.). The regulations set out conditions that Visa members must meet to be reimbursed and detail the process that Visa and its members must follow after a data breach. The regulations state that "[r]eimbursement and collection amounts as determined by Visa U.S.A. are final and not subject to any appeal or other challenge." (Id., ¶ 4.1.H).
The MasterCard regulations provide for similar dispute-resolution procedures in the event of a data breach. (Id., Ex. C). Paragraph 5.10.4, entitled "Account, Cardholder, and Transaction Data Security," states that to recover costs from an unauthorized use of data, a member must show that a fraudulent transaction took place before MasterCard alerted an issuer to the data compromise and must show compliance with other procedures. (Id.). The MasterCard member must show by "clear and convincing evidence" that the damages sought "resulted from" a rule violation. (Id.).
Heartland Bank and KeyBank contracted with Heartland Payment Systems to process Visa and MasterCard credit-card transactions sent to them by participating merchants. (Docket Entry No. 25, Heartland Bank-Heartland Payment Systems Contract (Ex. A to Docket Entry No. 27); Docket Entry No. 29, KeyBank-Heartland Payment Systems Contract (Ex. A to Docket Entry No. 28)). Heartland Bank's contract with Heartland Payment Systems has an effective date of November 1, 2003; KeyBank's contract has an effective date of September 20, 2006. As required by the Visa and MasterCard regulations, each contract requires adherence to the networks' regulations. (Docket Entry No. 25, ¶ 1.1(f); Docket Entry No. 29, ¶ 1.1(f)). The contracts provide that "[i]n the event of any inconsistency between any provision of this Agreement and the by-laws and regulations of Visa and/or MasterCard, the by-laws and regulations of Visa or MasterCard in each instance shall be afforded precedence and shall apply." (Docket Entry No. 25, ¶ 1.1(h); Docket Entry No. 29, ¶ 1.1(h)). The contracts contain a confidentiality provision and require each party to indemnify the other's "affiliates." (Docket Entry No. 25, ¶¶ 4.3, 4.5; Docket Entry No. 29, ¶¶ 4.3, 4.5).
The Financial Institution Plaintiffs contend that Heartland Bank and KeyBank breached their duties under the contracts; breached their fiduciary duties as members of the Visa and MasterCard networks, which they characterize as joint ventures; and acted negligently by failing to ensure that Heartland Payment Systems complied with the Payment Card Industry Data Security Standards. The Financial Institution Plaintiffs also claim that Heartland Bank and KeyBank are vicariously liable for the negligence of Heartland Payment Systems.
KeyBank and Heartland Bank have moved to dismiss. Both defendants argue that the Financial Institution Plaintiffs have failed to state a claim on which relief may be granted, requiring dismissal under Rule 12(b)(6). Heartland Bank has also moved to dismiss under Rule 12(b)(2) for lack of personal jurisdiction. The motions are analyzed below.
Heartland Bank, a Missouri corporation with its principal place of business in Clayton, Missouri, (Docket Entry No. 1, ¶ 21), contends that it is not subject to personal jurisdiction in the Southern District of Texas. The jurisdictional reach of a federal district court is ordinarily limited by the long-arm statutes of the states in which they sit. FED. R. CIV. P. 4(k)(1)(A); uBid, Inc. v. GoDaddy Grp., Inc., 623 F.3d 421, 425 (7th Cir. 2010). The long-arm statutes are, in turn, limited by federal constitutional limits. McFadin v. Gerber, 587 F.3d 753, 759 (5th Cir. 2009). The Supreme Court observed long ago, however, that "Congress could provide for service of process anywhere in the United States." Miss. Pub. Corp. v. Murphree, 326 U.S. 438, 431 (1946). "One such piece of legislation is 28 U.S.C. § 1407, the multidistrict litigation statute." In re "Agent Orange" Prod. Liab. Litig., 818 F.2d 145, 163 (2d Cir. 1985) (citing Murphree, 326 U.S. at 431). A transferee court's jurisdiction over a defendant depends on whether the transferor court had personal jurisdiction. Id.; accord In re Papst Licensing GMBH &...
To continue reading
Request your trial