Heartland Gets off the Hook
By now you have probably heard that last week a US District Court Judge Anne Thompson has granted a motion filed by Heartland Payment Systems to throw out a shareholder-initiated class-action lawsuit that followed what many call the worst data security breach ever. The plaintiffs claimed that this company made “false and/or misleading statements and failed to disclose material adverse facts about the company’s business, operations and prospects” and that the company’s cyber security measures were “inadequate and ineffective.” Heartland stock had plunged to a mere 20 percent of its value after news of its massive data security breach surfaced. In her ruling, the judge said that no evidence existed that senior management at Heartland was not paying suitable attention to security issues there.
Was Heartland senior management really not paying sufficient attention to security issues? I could make a case either way. One on hand, nobody at Heartland noticed all the intrusions and infestation of malware for six months. In the commercial world, six months of failure to detect potentially financially catastrophic events of the magnitude that Heartland was experiencing is inconceivable. This says to me that Heartland may have had an intrusion detection effort, but it was not at all effective, a strong (but 100 percent certain) indication that at least part of its practice of security was more perfunctory than anything else. On the other hand, the fact that Heartland Payment Systems had passed a PCI-DSS audit not all that long before the massive data security breach would in my judgment show that this company had at least exercised due care with respect to its credit card-related security practices. We all know that the PCI-DSS standard prescribes “minimum security practices” more than anything else. Still, in the US there is a strong precedent for due care as a compelling defense argument dating back to at least the 1930s in the United States versus Carroll Towing ruling (if not before). But I would also want to know whether information security issues had been regular agenda topics in Heartland’s senior management and the board of directors meetings. If the answer were no, I’d be less inclined to agree with the view that Heartland was paying sufficient attention to information security issues.
Finally, the fact that company’s stock value fell drastically once news of
the breach reached the public should come as no surprise to anyone. This outcome has happened repeatedly in the past such that this trend is now well-documented and analyzed in research studies by institutions such as ones at the University of Maryland and SUNY-Albany (see http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VD0-4X1J73T-1&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId=1134142558&_rerunOrigin=google&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=b9d2800998af7ec68cb191b5b7d19187, for example). I seriously doubt that Heartland’s senior management and board were even vaguely aware of the effect of security breaches on stock value. There is a lesson to be learned here—if you are an information security manager, you should be educating your senior management concerning this relationship. It will be one of the best things you can do when it comes to making the “sale for security.”
So Heartland got off the hook, at least with respect to this particular lawsuit. I remain undecided concerning whether the judge’s ruling in the stockholders’ lawsuit was right. But this lawsuit was only one of many that are still pending. If I were a betting person I’d bet that Heartland will not fare quite as well in all of the upcoming lawsuits against it.