Nearly two years after Heartland Payment Systems, Inc. (“Heartland”) experienced one of the largest customer data security breaches in history, it entered into its third settlement agreement with a card company. (In addition to its settlements with card companies, on April 30, 2010 Heartland received preliminary approval for a consumer class-action settlement that could cost it up to $2.4 million.) Having already entered into settlement agreements with Visa for up to $60 million and American Express for up to $3.6 million, Heartland announced on May 19, 2010 that it entered into a settlement agreement with MasterCard that could result in as much as $41.1 million being paid to eligible MasterCard card issuers for losses resulting from the breach.
According to the terms of the settlement, MasterCard issuers that filed timely claims for accounts that were affected by the breach will be eligible to receive a specified dollar amount at some point during the third quarter of 2010, provided that MasterCard issuing financial institutions that represent at least 80% of the claimed-upon accounts accept the settlement agreement by June 25, 2010. In addition, the claimed-upon accounts must waive rights to any other recovery from Heartland arising from the breach.
With the dust from the breach beginning to settle, the financial damage to Heartland is becoming evident. Should the MasterCard settlement be approved, Heartland could, in total, be on the hook for well over $100 million in breach-related settlement payments.