Heartland/Visa Settlement Raises Questions
The announcement on face looks to be a good one for the institutions that were hit by the breach, the largest to date of credit card data. By most measures, it is a bargain for Heartland, even with the $60 million price tag. But questions are raised on the timing of the settlement, its requirements and the short window to participate.
Looking at the calendar, the announcement came in on a Friday morning, Jan. 8. The deadline for institutions to have their paperwork in as proof they will participate is Jan. 29. No real details were given in the announcement, other than to make one thing really clear: If an institution takes this settlement, it will then have no recourse against Heartland in collecting any other money due because of fraud from the breach. Visa says it will be sending out by email information to the affected institutions on the "Alternative Recovery Offer" on Jan. 14. That leaves 12 business days before a decision has to be made, forms completed and sent back to participate.
Questions are raised on the timing of the Heartland/Visa settlement, its requirements and the short window to participate.
The requirement that 80 percent of Visa issuing banks that were affected by the breach must participate in the settlement also raises a question. Why the large percentage? Could Heartland be worried that some banks won't take the settlement offered, which after $1,000 is only an equal match to the losses? Institutions that make the decision to go with the settlement will be reimbursed only the amount to date. The settlement doesn't include any future fraud that may happen because of the breach.
It's also interesting to see the speed at which Visa and Heartland expect institutions to make this decision. A three-week window to get more information, digest it and present it to senior management, and possibly the board of an institution, is cutting it close. Real close.
Finally, the last question I have to ask is the most obvious: Why now? It can't be that the upcoming one-year anniversary of the Heartland announcement has any bearing. My thought is that Heartland is pushing this settlement out in front of issuing institutions, hoping they'll take it and then forgo any participation in the class action suit being brought against it.
The judge has not ruled on the class action suit yet, which may be why Heartland has pushed this offer out to institutions, with Visa's blessings and participation, in order to enlist as many institutions as possible before a ruling comes down on whether the case will move forward, or if Heartland's motion for dismissal is upheld.
Should Heartland fail to secure the 80 percent participation rate, it can go back and say it tried with good faith to make amends to issuing institutions, but not enough institutions wanted the settlement offer. There are institutions out there (that will remain unnamed) that have replaced their entire card base at a substantial cost to their bottom line. One institution I know of spent $1 million to replace its cards because of the Heartland breach.
The deadline clock is ticking. Let's see which affected institutions take the settlement - and which ones don't.