The real cost of data breaches - Heartland to pay Amex $3.5 million

By Cynthia J. Larose

According to its 8-K filing with the Securities and Exchange Commission (SEC), Heartland Payment Systems Inc. has agreed to pay American Express Travel Related Services Co. Inc. just over $3.5 million to settle any claims arising out of a massive payment card data breach.

This settlement is likely to be only the first over the compromise of tens of millions of debit
and credit card accounts by malicious software planted on Heartland's computers
that the Princeton, N.J.-based payment card processor revealed in January of this year.

On November 12, Heartland filed a Form 8-K with the SEC, stating that it had doubled from $35.6 million to $73.3 million its anticipated breach expenses for 2009, because it expected to settle litigation related to the breach.

Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach, which were consolidated in the U.S. District Court for the Southern District of Texas. According to the Form 8-K filing, the newly announced settlement agreement
would release Heartland from any claims raised by AmEx or its issuing banks. The filing did not indicate whether the settlement is subject to court approval and did not include a copy of the agreement.

Subscribe To Viewpoints

Published

Viewpoint Topics

Professionals

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.