In a legal settlement over its 2008 security
breach, Heartland Payment Systems has agreed to pay up to $41.4 million
to MasterCard Worldwide and its card issuers to repay operational costs
and fraud losses attributed to the breach.
The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million.
Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.
This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.
The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.
First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored by PGP Corporation (being acquired by Symantec).
Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.
Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S.
District Court to two concurrent 20-year stints in prison for his role
in what prosecutors called the "unparalleled" theft of millions of
credit card numbers from major U.S. retailers.
The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.
I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:
The percentage of cyber criminals who are caught is very low.
Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.
Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."
A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.
Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.
The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.
ReadWriteEnterprise is reporting via The Hill, that "the Federal Trade Commission (FTC) has opened an investigation into the privacy and security implications of cloud computing."
Given the FTC's aggressive Red Flags Rule program, I would not be surprised if more regulations will be forthcoming. BTW, after many delays, the Red Flags Rule is planned to go into effect on June 1, 2010.
In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.
The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”
The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.
The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.
Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.
Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.
Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.
In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.
Let the payments begin. Heartland Payment Systems settled the lawsuit brought by American Express due to Heartland's 2008 breach of 130 million credit cards (which I wrote about here) for $3.6 million. There are still many more lawsuits outstanding including Visa and MasterCard which no doubt represent the majority of the credit cards stolen.
The article quotes Heartland CEO, Bob Carr, as saying that Heartland "has set aside $12.6 million to charges related to the hack." I find this number to be a gross underestimation considering that TJX believes its breach will cost $250 million as reported here, here, and here.
The first adjudicated lawsuit against the executives of Heartland Payment Systems went in favor of the defense.
As I am sure you aware, Heartland Payment Systems is embroiled in countless lawsuits as a result of the disclosure it had to make in January 2009 of a breach of over 130 million credit card numbers. It is considered the largest breach of credit card data in history.
A class action shareholder lawsuit filed against the executives of Heartland was dismissed earlier this month by Judge Anne Thompson of the U.S. District Court of New Jersey on the basis that the executives' claim that they took security seriously was not a lie. Here is the actual opinion.here.
Gene Schultz weighed in with a thoughtful opinion here.
While I am no lawyer, it seems to me that this lawsuit was very narrowly focused and based on my reading of the opinion, it's hard to see how the judge could have found for the plaintiff.
A lawsuit that would bring out the emails and memos associated with a variety of compliance and security decisions made by the Heartland executives would be more interesting.
Computerworld reported last week that a judge in Illinois ruled that a couple who lost $26,500 when their bank account was breached can sue the bank for negligence for not implementing "state-of-the-art" security measures which would have prevented the breach.
While bank credit card issuers have been suing credit card processors and retailers regularly to recoup losses due to breaches, this is the first time that I am aware of that a judge has ruled that a customer can sue the bank for negligence.
The more detailed blog post by attorney David Johnson, upon which the Computerworld article is based, discusses some really interesting details of this case.
The plaintiffs sued Citizens Financial Bank for negligence because it had not implemented multifactor authentication. The timeline is important here. The Federal Financial Institutions Examination Council (FFIEC) issued multifactor authentication guidelines in 2005. By 2007, when the plaintiffs' breach occurred, the bank had still not implemented multifactor authentication. The judge, Rebecca Pallmeyer of the District Court of Northern Illinois, found this two year delay unacceptable.
Two interesting complications – (1) The account from which the money was stolen was from a home equity line of credit account, not a deposit or consumer asset account. (2) This credit account was linked to the plaintiffs' business checking account. I discussed the differences between consumer and business account liability here. Fortunately for the plaintiffs, the judge brushed these issues aside and focused on the lack of multifactor authentication.
One issue that was not addressed – where was Fiserv in all of this?
They are the provider of the online banking software used by Citizens
Financial Bank. Were they offering some type of multifactor
authentication? I would assume yes, although I have not been able to
confirm this.
In conclusion, attorney David Johnson makes clear that this ruling increases the risk to banks (and possibly other organizations responsible for protecting money and/or other assets of value) if they do not implement state-of-the-art security measures.