NEW ORLEANS – The U.S. Court of Appeals for the Fifth Circuit sent a case concerning a group of banks that sued a third-party payment company over a breach of information by hackers back to district court.
Lone Star National Bank NA, Amalgamated Bank, First Bankers Trust Company National Association, Pennsylvania State Employees Credit Union, Elevations Credit Union, O Bee Credit Union and Seaboard Federal Credit Union originally filed suit against Heartland Payment Systems Inc., alleging that a data breach caused confidential information belonging to the customers of the plaintiff banks to be exposed, thus causing the plaintiff banks to incur the associated costs.
In the original filing, the banks allege they incurred costs associated with replacing cards and reimbursing customers after the customers’ personal data was breached. The banks have contracts with Visa and MasterCard that allowed them to issue credit and debit cards to their customers. Heartland contracted with other banks within the Visa and MasterCard network, and these contracts required Heartland to comply with regulations that contain mechanisms for Visa and MasterCard network members to recoup losses in the event of a data breach.
The banks and Heartland, therefore, have no direct contract with one another, though the plaintiff banks alleged contract claims as third-party beneficiaries of Heartland’s contracts with other entities. The banks also accused Heartland of negligence.
In the initial case, the parties disputed whether Texas or New Jersey law governed, and therefore whether or not the economic loss doctrine would be applicable. The district court dismissed the plaintiffs' assertion that even under New Jersey law, the economic loss doctrine would bar the negligence claim. Further, the district court decided that by entering into a web of contractual relationships, the plaintiff banks contracted for specific remedies and could not bring common law tort claims against another participant in the same network.
The case was then taken to the appeals court which reversed and remanded the case on Sept. 3. The Fifth Circuit held that the economic loss doctrine under New Jersey law does not preclude the negligence claim, because the plaintiff banks constitute an “identifiable class.”
Heartland, then, had reason to foresee that the plaintiff banks would be the entities to suffer economic losses resulting from their negligence, and Heartland would not be exposed to “boundless liability,” but rather to the reasonable amount of loss from a limited number of entities. The Court further ruled that even absent physical harm, Heartland may owe the plaintiff banks a duty of care and may be liable for their purely economic losses, and that the plaintiff banks would be left with no remedy for Heartland’s alleged negligence.
Heartland responded that the original district court decision should still be affirmed on other grounds, including that the plaintiff banks should not be limited to contractual remedies available through Visa and MasterCard networks, that Texas law and not New Jersey law governs, that the plaintiff banks failed to state a claim under the Federal Rule of Civil Procedure, and that some of the plaintiff banks are collaterally prohibited because of a second claim regarding the same issue.
The appeals court stated that these complex issues would be better addressed by the district court.
Case no. 12-20648.
Banks suit over hackers’ breach sent back to district court
ORGANIZATIONS IN THIS STORY