On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.
Back in December 2007, hackers attacked Heartland’s computer network – specifically the company’s payroll manager system. During 2008, Heartland worked to prevent theft of data from that system. Unbeknownst to Heartland’s personnel, however, the attack spread to the payroll processing system, from which hackers stole data regarding approximately 130 million credit and debit cards. It was not until January 2009 that Heartland discovered and publicly disclosed the breach, ultimately causing Heartland’s stock to suffer a significant decline in value.
Plaintiffs in In re Heartland Payments Systems, Inc. Securities Litigation claimed that Heartland and two of its executives made misleading statements about the breach and the nature of Heartland’s data security measures in violation of the Securities Exchange Act. In particular, plaintiffs alleged that during a February 13, 2008 earnings conference call, Heartland executives concealed the attack by indicating that large fourth quarter data security expenditures were not prompted by any particular security incident. As to that statement, the court found that the attack occurred “far too late in the quarter to have been the cause for the million-plus expenditure” and, thus, was not misleading. Also, during that February 2008 call, Heartland’s CFO stated that the company did not experience a security incident “that would put [Heartland] in a TJ Maxx position,” referencing the then-largest credit card data breach. Plaintiffs argued that this statement was false and misleading given the attack on Heartland’s systems; however, the court judged that, as of February 2008, hackers had not stolen any credit card information as was the case with TJ Maxx. Accordingly, the court ruled that the CFO’s statement was truthful.
In addition, turning to Heartland’s 2007 annual report and a November 2008 earnings call, plaintiffs alleged that Heartland misrepresented the condition of Heartland’s data security. According to plaintiffs, the annual report misrepresented that Heartland placed “significant emphasis on maintaining a high level of security.” And, during the November 2008 call, Heartland’s CEO allegedly made misleading statements when he discussed a rise in encryption standards and talked about the company’s need to improve its data security measures. The federal district court, however, disagreed with plaintiffs. The court found that the statements made in Heartland’s annual report and during the November 2008 call were not inconsistent with the fact that the company was the victim of hackers. Moreover, the court held that Heartland was not obligated to disclose the initial December 2007 attack. While plaintiffs may not have purchased Heartland shares had they known of the attack, “there is no general duty on the part of issuers to disclose every material fact to investors.”