This posting was written by William Zale, Editor of CCH Advertising Law Guide.
In a case arising from a massive data security breach at credit and debit card payment processor Heartland Payment Systems, card-issuing banks had standing to pursue a claim against Heartland under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) for making false promotional statements about its data security practices, but failed to state claims under consumer protection laws of California, Colorado, Illinois, New Jersey, New York, Texas, and Washington, the federal district court in Houston has ruled.
Heartland allegedly made some detailed, factual promotional statements about its data security practices that could support banks’ claims of negligent misrepresentation under the common law of New Jersey, but the banks’ conclusory allegations of reliance were inadequate, the court held.
Data Security Breach
The card-issuing banks’ claims arose from a breach of Heartland’s computer systems by three hackers—an American and two unknown Russians. They installed programs that allowed them to obtain payment-card numbers and expiration dates for approximately 130 million accounts, as well as cardholder names for some accounts.
Puffery vs. Actionable Misrepresentations
Advertising claims that are vague and highly subjective constitute nonactionable puffery.
Heartland’s slogans—“The Highest Standards” and “The Most Trusted Transactions”—were puffery, the court found. Similarly, statements such as “layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information” were nonactionable.
However, Heartland also allegedly made statements that were factually concrete, verifiable, and subject to proof, including “[w]e maintain current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access”; “we encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption”; and “Exchange has passed an independent verification process validating compliance with VISA requirements for data security.”
Although some of Heartland’s alleged statements might be actionable, the banks’ allegations of reliance where wholly conclusory, according to the court. It was unclear, for example, if the card-issuer banks’ reliance was through their joining, remaining in, or withdrawing from the Visa and MasterCard networks, or what relationship Heartland’s statements had to any such actions. The banks’ fraud and negligent misrepresentation claims were dismissed with leave to amend.
Florida Deceptive and Unfair Trade Practices Act
Heartland argued that only consumers, as the word is traditionally used, may assert claims under the FDUTPA.
The Florida legislature amended the FDUTPA in 2001 to authorize suit by a “person”—rather than a “consumer”—who has suffered loss from a violation. The Act’s purpose is “[t]o protect the consuming public and legitimate business enterprises,” the court observed.
It is unclear if the word “consuming” applied only to “public” or also to “legitimate business enterprises,” the court said. The more natural reading, in the court’s view, is that this clause listed two independent groups that the Act seeks to protect: first, “the consuming public,” and second, “legitimate business enterprises.” The question was close, but the legislature’s use of the word “person” in creating a private right of action suggested a broader reach than the word “consumer.”
Consumer Protection Laws of Other States
The banks’ claims under the New Jersey, New York, and Washington statutes were dismissed without leave to amend.
The banks’ relationship with Heartland existed only by virtue of their participation in the Visa and MasterCard networks. This relationship is far different from the direct, downstream relationship between a consumer of a good and its manufacturer or seller, within the scope of the New Jersey Consumer Fraud Act, the court found. Under the New York Deceptive Acts and Practices Law, the banks were not “consumers,” nor was the conduct at issue “consumer oriented.”
The banks failed to allege facts suggesting that their claim affected the public interest, under the Washington Consumer Protection Act, the court added. The only group likely to be injured in the same fashion—incurring expenses for replacement cards and fraudulent transactions—consisted of other issuer banks. This group was both too small and too specialized to constitute a substantial portion of the public.
The claims under the California, Colorado, Illinois, and Texas were dismissed with leave to amend.
The banks’ conclusory allegations of reliance were insufficient to state claims under the California Unfair Competition Law, the Illinois Consumer Fraud Act, and the Texas Deceptive Trade Practices Act, the court held.
Because the banks’ complaint did not include allegations about pricing, they failed to state a violation of the Colorado Consumer Protection Act’s prohibition against “false or misleading statements of fact concerning the price of goods, services, or property or the reasons for, existence of, or amounts of price reductions.”
The December 1 opinion in In re: Heartland Payment Systems, Inc. Customer Data Security Breach Litigation will be reported at CCH Advertising Law Guide ¶64,508.
Further details regarding CCH Advertising Law Guide appear here.