In re Heartland Payment Sys., Inc.

• Decision Date: 01 December 2011
• Docket Number: MDL No. 09–2046.
• Parties: In re: HEARTLAND PAYMENT SYSTEMS, INC. CUSTOMER DATA SECURITY BREACH LITIGATION. This filing relates to: Financial Institution Track Litigation.
• Court: U.S. District Court — Southern District of Texas

834 F.Supp.2d 566

In re: HEARTLAND PAYMENT SYSTEMS, INC. CUSTOMER DATA SECURITY BREACH LITIGATION. This filing relates to: Financial Institution Track Litigation.

MDL No. 09–2046.

United States District Court,

S.D. Texas,

Houston Division.

Dec. 1, 2011.

MEMORANDUM AND OPINION

LEE H. ROSENTHAL, District Judge.

In January 2009, Heartland Payment Systems, Inc. (“Heartland”) publicly disclosed that hackers had breached its computer systems and obtained access to confidential payment-card information for over one hundred million consumers. Consumers and financial institutions filed suits across the nation. The Judicial Panel on Multidistrict Litigation consolidated those cases before this court. The cases have proceeded on two tracks, one for the Consumer Plaintiffs and one for the Financial Institution Plaintiffs.

The Financial Institution Plaintiffs filed a master complaint asserting causes of action for breach of contract and implied contract, negligence and negligence per se, negligent and intentional misrepresentation, and violations of consumer-protection statutes in New Jersey and other states. (Docket Entry No. 32). Heartland moved to dismiss. (Docket Entry No. 39).¹ After this court dismissed claims filed by some of the Financial Institution Plaintiffs against the banks that contracted with Heartland, (Docket Entry No. 117), the parties supplemented their briefs. (Docket Entry Nos. 122, 124, 127, 131, 133–35).² Based on the master complaint, the motion, the extensive briefing, and the relevant law, this court grants the motion to dismiss in part and denies it in part. The specific rulings are as follows:

(1) The motion to dismiss is granted with prejudice and without leave to amend as to the claims for negligence and for violations of the New Jersey Consumer Fraud Act, the New York consumer protection law, and the Washington Consumer Protection Act.

(2) The motion to dismiss is granted without prejudice and with leave to amend as to the following claims: breach of contract; breach of implied contract; express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices—Consumer Protection Act.

(3) The motion to dismiss is denied as to the claim brought under the Florida Deceptive and Unfair Trade Practices Act.

The reasons for these rulings are explained in detail below. The Financial Institution Plaintiffs must file an amended complaint no later than December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11–B.

I. Background³

Every day, merchants swipe millions of customers' payment cards.⁴ In the seconds that pass between the swipe and approval (or disapproval), the transaction information goes from the point of sale, to an acquirer bank, across the credit-card network, to the issuer bank, and back. Acquirer banks contract with merchants to process their transactions, while issuer banks provide credit to consumers and issue payment cards. The acquirer bank receives the transaction information from the merchant and forwards it over the network to the issuer bank for approval. If the issuer bank approves the transaction, that bank sends money to cover the transaction to the acquirer bank. The acquirer bank then forwards payment to the merchant. A bank often acts as both an issuer and an acquirer. Banks frequently outsource the processing functions to companies specializing in that service.

Visa and MasterCard are two of the largest credit-card networks. They neither issue cards nor contract with merchants to process transactions. Instead, acquirer and issuer banks contract with them for access to the Visa and MasterCard networks. Visa and MasterCard, like the other credit-card networks, impose extensive regulations on acquirer and issuer banks. Visa and MasterCard require the banks they contract with to impose these regulations on the merchants who submit transactions for processing and on the entities that process the transactions.

The Financial Institution Plaintiffs are nine banks suing as issuer banks. Heartland, the defendant, processes merchant transactions on behalf of two acquirer banks, Heartland Bank and KeyBank, N.A.⁵ (Docket Entry No. 42, Exs. 4, 5). Heartland's contracts with KeyBank and Heartland Bank required Heartland to comply with Visa and MasterCard network regulations. ( Id., Ex. 4, ¶ 1.1(f); Ex. 5, ¶ 1.1(f)). To the extent that the terms of Heartland's contracts with these and other banks differed from the Visa and MasterCard regulations, the regulations governed. ( Id., Ex. 4, ¶ 1.1(h); Ex. 5, ¶ 1.1(i)).

Beginning at least as early as December 2007, three hackers—an American, Albert Gonzalez, and two unknown Russians—infiltrated Heartland's computer systems. (Docket Entry No. 32, ¶¶ 35, 63–64). The hackers installed programs that allowed them to capture some of the payment-card information stored on the Heartland computer systems. ( Id., ¶ 65). In late October 2008, Visa alerted Heartland to suspicious account activity. Heartland, with Visa and MasterCard and others, investigated. ( Id., ¶ 35). Heartland discovered suspicious files in its systems on January 12, 2009. A day later, Heartland uncovered the program creating those files. ( Id., ¶ 37). That program provided the hackers with access to data on the systems. ( Id., ¶¶ 41–42). On January 20, Heartland publicly announced the data breach. ( Id., ¶ 38). The hackers obtained payment-card numbers and expiration dates for approximately 130 million accounts. ( Id., ¶ 5). For some of these accounts, the hackers also obtained cardholder names. ( Id., ¶ 44). They did not obtain any cardholder addresses, however, which meant that the stolen card information generally could be used only for in-person transactions. ( Id., ¶ 70).

The Financial Institution Plaintiffs allege that this data breach resulted from Heartland's failure to follow industry security standards known as PCI–DSS. ( See id., ¶¶ 53–62). After the breach, the Financial Institution Plaintiffs incurred significant expenses replacing payment cards and reimbursing fraudulent transactions. ( Id., ¶ 78). The master complaint asserts ten causes of action:

(I) breach of Heartland's contracts with Heartland Bank, KeyBank, and its merchants, to which the Financial Institution Plaintiffs are third-party beneficiaries;

(II) negligence;

(III) breach of an implied contract to the Financial Institution Plaintiffs;

(IV) negligence per se;

(V) negligent misrepresentation;

(VI) intentional misrepresentation;

(VII) violations of the New Jersey Consumer Fraud Act; and

(VIII, IX, and X) violations of other states' consumer-protection laws.

The complaint seeks class certification.

Heartland has moved to dismiss the complaint in its entirety. (Docket Entry No. 39). Its arguments, and the Financial Institution Plaintiffs' responses, are addressed in detail below.

II. Rule 12(b)(6)

A complaint may be dismissed when the plaintiff fails “to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1949–50, 173 L.Ed.2d 868 (2009), the Supreme Court confirmed that Rule 12(b)(6) must be read in conjunction with Rule 8(a), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A complaint must contain “enough facts to state a claim to relief that is plausible on its face” to withstand a Rule 12(b)(6) motion. Iqbal, 129 S.Ct. at 1949. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. Facial plausibility “does not require ‘detailed factual allegations,’ but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. (quoting Twombly, 550 U.S. at 555, 127 S.Ct. 1955). Nor is facial plausibility “akin to a ‘probability requirement’ ”; rather, “it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955). Facial plausibility requires “the plaintiff [to] plead [ ] factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S.Ct. at 1949. “Where a complaint pleads facts that are ‘merely consistent with’ a defendant's liability, it ‘stops short of the line between possibility and plausibility of entitlement to relief.’ ” Id. (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955).

When a plaintiff's complaint fails to state a claim, a district court generally should provide the plaintiff at least one chance to amend the complaint under Rule 15(a) before dismissing the action with prejudice. See Great Plains Trust Co. v. Morgan Stanley Dean Witter & Co., 313 F.3d 305, 329 (5th Cir.2002) (“district courts often afford plaintiffs at least one opportunity to cure pleading deficiencies before dismissing a case”); see also United States ex rel. Adrian v. Regents of the Univ. of Cal., 363 F.3d 398, 403 (5th Cir.2004) (“Leave to amend should be freely given, and outright refusal to grant leave to amend without a justification ... is considered an abuse of discretion.” (internal citation omitted)). “Denial of leave to amend may be warranted for undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies, undue prejudice to the opposing party, or futility of a proposed amendment.” United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262, 270 (5th Cir.2010) (emphasis added). A district court has broad discretion to dismiss a...