In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig.

• Decision Date: 20 March 2012
• Docket Number: MDL No. 09–2046.
• Citation: 851 F.Supp.2d 1040
• Parties: In Re: HEARTLAND PAYMENT SYSTEMS, INC. CUSTOMER DATA SECURITY BREACH LITIGATION. This filing relates to: Consumer Track Litigation.
• Court: U.S. District Court — Southern District of Texas

851 F.Supp.2d 1040

In Re: HEARTLAND PAYMENT SYSTEMS, INC. CUSTOMER DATA SECURITY BREACH LITIGATION. This filing relates to: Consumer Track Litigation.

MDL No. 09–2046.

United States District Court,

S.D. Texas,

Houston Division.

March 20, 2012.

MEMORANDUM AND ORDER

LEE H. ROSENTHAL, District Judge.

This is a consumer class action certified under Federal Rule of Civil Procedure 23(b)(3) for settlement. The class is large—over one hundred million payment-card ¹ holders—and dispersed across the country. Despite a vigorous notice campaign, only eleven valid claims have been filed. Damages are almost entirely in the form of cy pres payments to third-party nonprofit organizations whose work is related to class interests. This opinion addresses settlement-class certification, settlement approval, and attorneys' fees. As part of determining a reasonable fee award, the court discounts the value of the cy pres payments to reflect the fact that the benefit to the class is indirect.

In January 2009, Heartland Payment Systems, Inc. (“Heartland”) publicly disclosed that hackers had breached its computer systems and obtained confidential payment-card information for over one hundred million consumers. ² Lawsuits were filed in state and federal courts across the country. The Judicial Panel on Multidistrict Litigation transferred the federal cases to this court under 28 U.S.C. § 1407. (Docket Entry No. 1). Payment-card holders filed individual lawsuits and class actions, claiming that Heartland had negligently failed to protect their personal financial information from disclosure. Financial institutions that issued cards also sued Heartland, claiming that the data breach caused them to incur damages, including the costs of canceling and replacing payment cards.³ The cases proceeded on two tracks, one for the “Financial Institution Plaintiffs” and one for the “Consumer Plaintiffs.”

In December 2009, the Consumer Plaintiffs and Heartland reached a settlement agreement (“Agreement”). (Docket Entry No. 57). After a hearing, (Docket Entry No. 82), the court in April 2010 certified a nationwide settlement class and approved notice of the Agreement, (Docket Entry No. 85). After an extensive notice campaign, eleven valid claims for losses and one objection have been filed. The Consumer Plaintiffs have moved for final approval of the Agreement, for an award of attorneys' fees, and for incentive awards for certain plaintiffs. (Docket Entry No. 107). The Consumer Plaintiffs filed a supporting memorandum. (Docket Entry No. 108). Heartland filed a memorandum supporting the settlement but taking no position on the fees or incentive awards. (Docket Entry No. 109). The court held a final fairness hearing. (Docket Entry No. 110).

Based on the memoranda in support of the proposed Agreement, the one objection, the parties' arguments at the preliminary and final fairness hearings, the remainder of the record, and the relevant law, this court: (1) reviews its preliminary certification of the settlement class; (2) approves the proposed settlement; (3) approves attorneys' fees in the amount of $606,192.50; (4) approves costs in the amount of $35,000; and (5) denies the proposed incentive awards. The reasons are explained in detail below.

I. The Litigation and Proposed Settlement AgreementA. Background

Heartland is a payment-card processor. It contracts with businesses to process their Visa and MasterCard transactions. The Consumer Plaintiffs are payment-card holders. The factual background can be briefly summarized:

Beginning at least as early as December 2007, three hackers—an American, Albert Gonzalez, and two unknown Russians—infiltrated Heartland's computer systems. The hackers installed programs that allowed them to capture some of the payment-card information stored on the Heartland computer systems. In late October 2008, Visa alerted Heartland to suspicious account activity. Heartland, with Visa and MasterCard and others, investigated. Heartland discovered suspicious files in its systems on January 12, 2009. A day later, Heartland uncovered the program creating those files. That program provided the hackers with access to data on the systems. On January 20, Heartland publicly announced the data breach. The hackers obtained payment-card numbers and expiration dates for approximately 130 million accounts. For some of these accounts, the hackers also obtained cardholder names. They did not obtain any cardholder addresses, however, which meant that the stolen card information generally could be used only for in-person transactions.

Heartland II, 834 F.Supp.2d at 575, 2011 WL 6012598, at *2 (internal citations omitted).

The Consumer Plaintiffs' suits assert claims for negligence, breach of contract, various state statutory violations, and violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (Docket Entry No. 3). Aside from motions relating to appointing class counsel, the only motions filed in the Consumer Plaintiffs track were unopposed motions for extensions of time to file the master complaint. (Docket Entry Nos. 31, 53). The master complaint was to be filed by December 18, 2009. (Docket Entry No. 55). On that date, and before the Consumer Plaintiffs had filed a master complaint, the parties submitted the proposed settlement. (Docket Entry No. 57). No formal discovery occurred. Instead, the parties engaged in what Heartland's counsel termed “confirmatory discovery.” Heartland gave counsel for the Consumer Plaintiffs over 4,000 pages relating to the data breach and allowed counsel to interview Heartland's Chief Technology Officer. (Docket Entry No. 111, at 9–10).

B. The Proposed Settlement Agreement

The proposed settlement binds “all Persons in the United States who had or have a payment card that was used in the UnitedStates between and including December 26, 2007 and December 31, 2008 (the ‘Settlement Class Period’), and who allege or may allege that they have suffered and of the Losses defined herein.” (Docket Entry No. 57, ¶ 1.20). The settlement excludes “Heartland and its officers and directors, and those Persons who timely and validly request exclusion from the Settlement Class.” ( Id.) By remaining in the class, each member gives up the right to bring any action “stemming from the Heartland Intrusion” against Heartland, KeyBank National Association, Heartland Bank, and any “Related Parties” ⁴ of those three entities. ( See id., ¶¶ 1.16–.18).

Within ten days after preliminary court approval, Heartland had to deposit $1 million into an interest-bearing escrow account. That sum was to “be used to reimburse Settlement Class Members who are determined to have submitted Valid Claims[.]” ( Id., ¶ 2.1). If the valid claims exceeded $1 million, Heartland had to deposit into the account an additional $500,000; if that was exhausted, another $500,000; and finally an additional $400,000. ( Id., ¶ 2.1(a)). Heartland had to deposit at least $1 million and at most $2.4 million to fund the settlement. If any unpaid balance remained on the initial $1 million (and interest) after all valid claims were paid, that balance was to “be transferred to a non-profit organization(s) dedicated to the protection of consumers' privacy rights, with emphasis on advancing the implementation of end-to-end encryption of payment card authorization transactions or similar security enhancements.” ( Id., ¶ 2.1(b)).⁵

Under the Agreement, “[a] Valid Claim shall consist of only those ‘Losses' ... that a Settlement Class Member ... proves by a preponderance of the evidence (i.e., more likely than not to be true), to have directly and proximately resulted from information relative to an Eligible Payment Card Account of such Settlement Class Member having been stolen or placed at risk as a result of the Heartland Intrusion[.]” ( Id., ¶ 2.2). The Agreement defines four categories of “Losses”: (1) out-of-pocket expenses from card cancellations or replacements; (2) out-of-pocket expenses from unauthorized and unreimbursed account charges; (3) out-of-pocket expenses from identity theft; and (4) “a reasonable amount for time (calculated at $10 per hour up to five (5) hours)” spent on these three types of losses. ( Id., ¶ 2.2(b)). “Losses” specifically exclude “credit monitoring or insurance costs incurred by Settlement Class Members, attorneys' fees, attorneys' costs or attorneys' expenses incurred by Settlement Class Members, or losses resulting from any information having been stolen or placed at risk of being stolen from an entity other than from Heartland.” ( Id.).

The Agreement also creates a claims process. ( Id., ¶¶ 2.2(c)-(d)). Any claim must be submitted by August 1, 2011. ( Id., ¶ 2.2(c)). Reimbursement is capped at $175 for any valid claim not involving identity theft and at $10,000 for any valid identity-theft claims. Each household is limited to two valid claims. ( Id., ¶ 2.2(b)).

The Agreement requires Heartland to pay, “subject to Court approval,” up to $725,000 for attorneys' fees and up to $35,000 for attorneys' costs and expenses. ( Id., ¶ 7.2). It also requires Heartland to pay, again “subject to Court approval,” incentive awards of $200 to each Representative Consumer Plaintiff and $100 to all other Named Plaintiffs. The Agreement includes the following disclaimer:

The Settling Parties did not discuss attorneys' fees, costs, and expenses, or incentive awards to Representative Consumer Plaintiffs and Named Plaintiffs, as provided for in ¶¶ 7.2 and 7.3, until after the substantive terms of the settlement had been agreed upon, other than that Heartland would pay reasonable attorneys' fees, costs, and expenses, and incentive awards to Representative Consumer Plaintiffs and named Plaintiffs as may be agreed to by Heartland and Co–Lead Settlement Class Counsel, and/or as ordered by the Court, or, in the event of no Agreement, then as ordered by the Court. Heartland and Co–Lead Settlement Class Counsel then negotiated and agreed [to...