Fifth Circuit Allows Card Issuers to Sue Payment Processor for Negligence After Data Breach Caused Economic Losses

Published On September 10, 2013 | By Dan Sachs | Data Security, General, Litigation
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

CREDITCARDSIn a September 3 ruling, the Fifth Circuit overruled a district court and held that  New Jersey’s version of the “economic loss doctrine” permits a card issuer to sue a payment processor for negligence when a data breach causes solely economic harm to the issuer.  Lone Star Nat’l Bank v. Heartland Payment Systems, No. 12-20648 (5th Cir. Sept. 3, 2013).

The defendant, Heartland Payment Systems,  processed payments for credit and debit card transactions.  Hackers infiltrated Heartland’s systems and stole payment card information, resulting in economic losses for the card issuers, which had to replace compromised cards and refund fraudulent charges.  Lacking a contractual relationship with Heartland, the issuers brought suit on grounds that Heartland was negligent.

The parties disputed whether Texas or New Jersey law should apply, but both agreed that the “economic loss doctrine,” which generally limits a plaintiff seeking to recover purely economic losses to contractual remedies, would bar the claim in Texas.  In the first go-around, the district court granted Heartland’s motion to dismiss, ruling that the economic loss doctrine also would bar the claim under New Jersey law.  The district court reasoned that the issuers had contracted with Visa and MasterCard for specific remedies in the event of a data breach, and thus could not bring common law tort claims against another entity involved in the transactions.

The Fifth Circuit reversed, holding that the negligence claim was not barred under New Jersey law and  that it was “easily foreseeable” that the card issuers “would be the entities to suffer economic losses were Heartland negligent.”  The court also noted that whether the issuers had compensation remedies for losses caused by Heartland’s negligence under the Visa and MasterCard rules and regulations was not clear.  Without such remedies, barring the claim would “defy[ ] notions of fairness, common sense and morality.”  The court further observed that it was not clear whether Heartland actually had valid contracts with Visa and MasterCard, and even if it did, whether the card issuers had sufficient bargaining power to actually negotiate the allocation of risk in the event of harm caused by Heartland.

The Fifth Circuit remanded the case to the district court for resolution of the choice of law issue and remaining issues on Heartland’s motion to dismiss.

The decision in this case suggests that payment processors should not expect their existing contracts to fully insulate them against tort liability in the event of a data breach—at least in states with an economic loss doctrine similar in scope to New Jersey’s.

 

Enhanced by Zemanta

About The Author

Dan Sachs, ZwillGen’s inaugural Fellow, assists ZwillGen attorneys on a broad range of matters, including litigation, investigations, product counseling, regulatory compliance, and policy. Prior to joining the firm, Dan worked at Facebook, where he assisted the Chief Privacy Officer for Policy in responding to federal, state, and international policy developments, engaging with regulators and stakeholders, and advising business units on privacy issues. During law school, Dan was a member of the George Washington Law Review and served as a research assistant to Professor Jeffrey Rosen, focusing on U.S. and international consumer privacy and surveillance issues. He was a legal intern with ZwillGen in the summer of 2012. Dan also worked as a legal intern with the U.S. Attorney’s Office for the District of Columbia.

Leave a Reply

Your email address will not be published. Required fields are marked *