Heartland Data Breach - Legal Update from Attorney Richard Coffman
In an exclusive interview, Coffman discusses:
After practicing several years as a CPA with two international accounting firms, Coffman received his law degree from the University of Texas in 1989. He began his legal career in Houston with a large Texas law firm where he represented plaintiffs and defendants in commercial litigation. Since that time, his own law practice, the Coffman Law Firm, has focused on business cases, consumer cases, complex commercial litigation and class actions.
TOM FIELD: Hello, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about the Heartland Payment Systems legal case and with us is Richard Coffman, an attorney with the Coffman Law Firm in Beaumont, Texas. Mr. Coffman, thanks for taking time to speak with me today.
RICHARD COFFMAN: You are most welcome.
FIELD: Why don't you give us some sense of what your role is in the Heartland cases that are winding through the courts now?
COFFMAN: The first thing you have to understand is that this litigation is really broken down into three segments. All of the cases that have been filed so far have been filed in various federal courts around the country. There have been about 20 plus cases filed on behalf of consumers, as we now speak about ten cases filed on behalf of financial institutions, banks and credit unions, and another four cases being securities fraud type cases.
I happen to represent financial institutions in the bank and credit union segment of this litigation.
FIELD: Now how did you get involved in the matter Richard?
COFFMAN: I have a client in Kansas City and he sits on the Board of Directors of a bank, a small country bank known as Lone Summit Bank out in Missouri, and I just happened to be in Kansas City with him when the news broke. He knew that I had prosecuted data breach cases in the past and he asked me if I would be willing to represent Lone Summit Bank in this litigation, since they got hit pretty hard by this data breach. And as a result I filed the Lone Summit Bank case in federal court in Trenton, New Jersey, which happened to be the first financial institution case filed in the Heartland data breach litigation.
FIELD: Now I know there is some news this week, where are we now in the legal process with the suits that you are involved with?
COFFMAN: In the federal court system there is a mechanism known as multi-district litigation consolidation. It is done by the Multi-District Litigation Panel, which is a select panel of federal judges. This panel meets every other month. It met in late May in Louisville, Kentucky.
Pursuant to these provisions the federal court system can consolidate litigation, they can consolidate various cases that are filed around the country in federal courts that are alleging virtually identical claims against the same defendant. All of these cases can be brought together and consolidated and coordinated for pre-trial purposes and for efficiency sake, in one federal court.
The hearing took place, again on May 27th, and just about all of the parties involved, Heartland and most of the plaintiffs, argued that the case be consolidated in Houston. The parties were requesting Houston because even though Heartland is based in Princeton, New Jersey, its IT operations that gave rise to the data breach are actually located in Texas.
On June 10th, the MDL panel issued its order and has now sent the litigation to Judge Lee Rosenthal who is a federal district judge in Houston, Texas.
FIELD: So I know we have a long way to go here and this will be unwinding for a while, but what types of historic cases can we look to for precedence, if any?
COFFMAN: There is really only one class action data breach case that I am aware of in which banks and credit unions were plaintiffs and that is the TJX data breach case, which prior to the Heartland breach case was the largest data breach case in United States history. I can say that the banks initially did not fair well in that case for several reasons, none of which exist in this case in my opinion.
Although I have been following the bank's side of that TJX litigation closely, it is interesting to note that the First Circuit Court of Appeals just breathed new life into the bank's side of the case with a ruling in March of this year, and has now sent the bank case back down to the federal district court in Boston with the directive to look at class certification all over again.
The district court initially denied class certification for the financial institutions in that litigation, again for reasons that I don't believe exist in the Heartland case, but even with that denial the district court has now been directed to look at it one more time.
FIELD: Now what do you find is unique about the Heartland case that we will be looking at over the next couple of months?
COFFMAN: Two things really; one as you previously alluded to, there is only one other bank class action and this is the second one. I think that it is unique in that it is going to be a harbinger of things to come, but more importantly I believe that it is a unique case because of the magnitude of the number of accounts impacted.
Early reports indicate that it is upwards of 100 million debit and credit cards, and this has just been a devastating data breach on banks and credit unions across the country. I have talked to financial institution executives and operations personnel in just about every state that have been impacted by this data breach. In addition to the cost of just replacing the plastic, which can be upwards of $35, $40, even $50 a card once you factor in soft costs such as personnel costs to deal with bank customers and overnight delivery charges to get replacement cards into the hands of their customers, it becomes a very expensive cost to the financial institutions.
In addition to just replacing the plastic, a number of these financial institutions have also had to cover unauthorized charges that were placed on their customers' cards. Another thing I'm hearing from financial institutions over and over again is the fact that many of their customers don't understand that it is not the financial institution's fault here. It is Heartland, a payment processor's fault. But the customers don't understand that and they are very irate, especially if they went out and used a card that had been compromised and canceled by their bank or credit union. They didn't know that it had been canceled and they had gone to a restaurant or the movies that particular night and their credit card had been rejected, or their debit card had been rejected, and they had become embarrassed. Then you have an irate customer on your hands. I have had several financial institution executives say they have had customers move their accounts to other financial institutions because of it.
FIELD: There is no question that this one has been personal for the consumers and for the financial institutions as well. It seems like they have got more skin in this game than they have in some of the others that we have seen.
COFFMAN: That's exactly right.
FIELD: So what can financial institutions and consumers realistically expect to see going forward?
COFFMAN: In the long term, if this situation continues to play out and repeat itself, where you have more and more of these types of data breaches where banks and credit unions are forced to replace cards, either debit cards or credit cards, what you are going to see are policy changes and even technology changes.
You can read in the media reports now that the CEO of Heartland is already pushing for end-to-end encryption of personal financial information rather than how it is treated now, which is basically keeping it in its native format with the hope that a corporation's internal firewall will provide the information with protection. The CEO of Heartland is also calling for a transparent clearinghouse of data breach information, to get that out in the public quicker to stave off some of these unauthorized charges.
The bottom line is you are going to see policy changes and you are going to see technology changes. I think you are going to see data security standards overhauled, certainly in the long term if not in the near term. Although I haven't seen it I expect that there are insurance companies out there working on products that will deal with data breach situations like the one in the Heartland case.
FIELD: Well that's a good point. These things take time, as you know, what do you expect to see for immediate next steps?
COFFMAN: As I indicated earlier, once these cases all get down to Houston, the judge in the case to which the litigation has been assigned, Judge Lee Rosenthal, will set down the initial case management conference and at that particular point time she will bring in all of the lawyers for all three segments of the litigation.
I anticipate that for each segment of the litigation there will be an organizational hierarchy of lawyers, and hopefully the lawyers can get together and agree on the hierarchy, but if they can't then there will be a period of time where applications and briefs will be submitted and then Judge Rosenthal will make that decision. But I anticipate, just having a gut feeling for her docket in Houston, that the initial case management conference will probably take place sometime in August or September of this year.
Once that case management conference is squared away, once the organizational hierarchy is squared away, she will enter a scheduling order that will schedule the various deadlines for the various tasks in this litigation from inception in her court until trial.
FIELD: So it is fair to say that we will be talking about his for a while.
COFFMAN: The wheels of justice grind, but they grind slowly sometimes. The good news is that Judge Rosenthal is an excellent judge for this case. She is a very fair judge. She is a very even-handed judge and she is very efficient at moving her docket forward, even in complex cases like this one. So I expect that we will be talking about it for at least a couple of years, but we will certainly make progress in the meantime.
FIELD: Well very good Richard. I appreciate your time and insights today.
COFFMAN: Well thank you for having me.
FIELD: We've been talking with Richard Coffman with the Coffman Law Firm. The topic has been the Heartland Payment Systems data breach. For Information Security Media Group, I'm Tom Field. Thank you very much.