A Princeton, N.J.-based company that failed to protect itself against an off-the-scale computer data breach has succeeded in fending off a securities fraud action over the resulting losses to investors.
U.S. District Judge Anne Thompson in Trenton, N.J., on Monday granted a defense motion to dismiss the case, In re Heartland Payment Systems Inc. Securities Litigation, 09-civ-1043, finding the plaintiffs failed to allege the existence of any material statement or omission or to adequately plead scienter.
Thompson dismissed the suit with prejudice, saying it appeared "further specificity would not cure the Complaint's deficiencies" and thus, "amendment would be futile."
Hackers stole information on 130 million credit card and debit card accounts from Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses and handles about 100 million transactions per month.
In December 2007, Heartland's payroll manager system, which contains employees' Social Security numbers and other confidential numbers, was the target of a "structured query language," or SQL, attack.
The company allegedly spent much of January 2008 "putting out fires" and successfully preventing the theft of payroll system information.
It allegedly took almost a year for Heartland to realize that the attack placed malware on its network that infected the payment processing system, resulting in a massive loss of credit and debit card numbers.
On Jan. 20, 2009, the company announced the breach, saying it had uncovered it the previous week after Visa and MasterCard alerted it about "suspicious activity concerning processed card transactions." Heartland said it had notified the Department of Justice and was upgrading its security systems. It also set up a Web site to keep people informed, www.2008breach.com.
In the month after the announcement, Heartland's stock price dropped from more than $15 per share to $5.34, resulting in huge losses to investors and spurring lawsuits that were consolidated in New Jersey.
The plaintiffs alleged that Heartland concealed the SQL attack and made false general statements that it had adequate security systems and took the issue of security very seriously.
The plaintiffs' allegations focus on two conference calls between the company's top executives -- CEO Robert Carr and CFO Robert Baldwin -- and financial analysts to talk about the company's financial results.
During the first, on Feb. 13, 2008, Carr and Baldwin answered no when analysts asked if there was any specific security threat that prompted increased security expenditures for the last quarter of 2007. The plaintiffs alleged that response was not truthful because it concealed the SQL attack.
Thompson disagreed, saying the SQL attack occurred too late in the quarter to have caused the million-dollar-plus outlay. If the question had been whether any security lapses occurred during the quarter, a denial might have been misleading, she noted.
Baldwin said in the same call that the company had never experienced anything "that would put it in a TJ Maxx position," referring to a theft of 45.7 million credit card numbers in 2007 that was then the largest known cyberdata breach.
That statement was also not false, because at that point, the Heartland hackers had not yet stolen the credit card numbers, said Thompson.
On the second call, on Nov. 4, 2008, Carr discussed trends in encryption standards and the need to adopt more secure technology for processing transactions. His "forward looking statements" were not false and were not misleading because they had "nothing to do with Heartland's then-existing security situation or the SQL attack, Thompson found. Nor did his general statements trigger a duty to disclose the SQL attack.
Also at issue was the 2007 annual report Heartland filed on March 10, 2008, with the Securities and Exchange Commission. It stated the company placed "significant emphasis on maintaining a high level of security," shielding databases with multiple layers of protection, but warned hackers could penetrate the system, exposing it to assessments, fines or litigation cost.
The plaintiffs assailed those statements as untruthful in light of the SQL attack and the still-unresolved security issues. Thompson saw no inconsistency or contradiction between valuing data security and having been successfully attacked, especially since the Form 10-K did not say the company was invulnerable or had never suffered a breach.