Credit Processor Pays $1 Million for Data Breach
Think your credit card information is secure? Think again. Last month, Heartland Payment Systems, a national credit processor, settled a class action lawsuit to the tune of $1 million after a staggering 130 million credit card numbers were stolen from its system by hackers in December 2007.
- Only 11 people qualified for payment, rest of money went to non-profits
- Fair Credit Reporting Act questionably cited in the lawsuit
- FCRA does provide consumer protections for victims of fraud and identity theft
Data Theft Above and Beyond
The scale of the Heartland heist was remarkable. PC World called it “far above and beyond any data theft in the past.” However, law enforcement unraveled the crime and the lead hacker, American Albert Gonzalez, is now serving a 20-year prison term.
On the civil side, Heartland was ordered to come up with up to $2.4 million to settle claims it had not sufficiently protected consumer data, $1 million of which it had to make available immediately. Ultimately, only 11 people filed valid claims for damages, and were awarded a total of $1925. The balance of the $1 million was split between three non-profit privacy rights groups.
The company also spent $1.5 million to advertise the settlement to find people who had been defrauded, and another $641,000 for plaintiff attorney fees and court costs. Even though they won’t have to pay out the entire $2.4 million they agreed to in the settlement, it was still a rather expensive breach of data.
In a curious allegation, the claims against Heartland asserted that it committed “intentional and negligent violations” of the federal Fair Credit Reporting Act (FCRA) by not effectively protecting consumer information. Since the case settled, the assertion wasn’t tested in court, but several lawyers questioned whether the FCRA was the appropriate law to cite.
“We generally do not see FCRA claims being made in typical data breach cases,” says Martin Thornthwaite, an attorney at Strasburger & Price in Texas who has handled FCRA cases. “The provision in the FCRA that is sometimes relied on in data breach cases concerns whether records that contain consumer information were properly disposed of, but we have found that these claims are rarely asserted and are often not applicable.”
What the FCRA does do is help consumers protect themselves in the event of fraud or identity theft. “If a consumer is concerned that he or she has been a victim or is about to become a victim of fraud, including identity theft, the consumer can request that a fraud alert be placed in his or her file with the consumer reporting agencies,” Thornthwaite says. “Further, a consumer requesting a fraud alert can also specify a telephone number to be used for identity verification purposes so that a user of the consumer’s credit report must contact the consumer or take reasonable steps to verify the consumer’s identity and confirm that any credit application is not the result of identity theft.”
Under certain state laws, consumers can also freeze their credit so new lines cannot be opened without a special PIN code.
It’s important that consumers be proactive to protect their names, their credit rating and their bank accounts. “If you think your credit card information is compromised, just be really diligent finding out if it’s been used,” says Chris Kittell, an attorney in Mississippi who maintains a blog explaining the FCRA. “Obtain a copy of your credit report from each of the three credit bureaus at annualcreditreport.com, the website where the FCRA requires credit bureaus to supply one free credit report per year, no strings attached.”
“Look first toward the inquiry portion of the credit report,” Kittell explains. “The first indication of fraud will show up if you see a hard inquiry, where you or someone in your name is applying for credit. If you see something that you don’t recognize, that’s a red flag that someone’s out there trying to get credit in your name. That’s something to be worried about.”
If you spot something fishy in your report, act immediately. “If you think you are an identity theft victim, file a police report,” Kittel says. “Start a dispute with the credit bureaus. Send the police report with the dispute.” It can also be helpful to alert any banks or other institutions that the requests for credit went through.
Should the credit bureaus drag their feet resolving your dispute or refuse to accept your evidence, it’s time to hire an attorney to head off and repair any instances of identity theft. “The earlier the better,” Kittell says. The National Association of Consumer Advocates keeps a directory of lawyers who specialize in fraud and identity theft and can help you clear your name.
Unfortunately, credit security problems didn’t end when Heartland shored up its defenses: Earlier this year 1.5 million credit card numbers were stolen by hackers from credit processor Global Payments. Stay alert.
You can find more information on how to protect yourself and your legal remedies if you are the victim of fraud in the Identity Theft information section on Lawyers.com.