In a September 3 ruling, the Fifth Circuit overruled a district court and held that New Jersey’s version of the “economic loss doctrine” permits a card issuer to sue a payment processor for negligence when a data breach causes solely economic harm to the issuer. Lone Star Nat’l Bank v. Heartland Payment Systems, No. 12-20648 (5th Cir. Sept. 3, 2013).
The defendant, Heartland Payment Systems, processed payments for credit and debit card transactions. Hackers infiltrated Heartland’s systems and stole payment card information, resulting in economic losses for the card issuers, which had to replace compromised cards and refund fraudulent charges. Lacking a contractual relationship with Heartland, the issuers brought suit on grounds that Heartland was negligent.
The parties disputed whether Texas or New Jersey law should apply, but both agreed that the “economic loss doctrine,” which generally limits a plaintiff seeking to recover purely economic losses to contractual remedies, would bar the claim in Texas. In the first go-around, the district court granted Heartland’s motion to dismiss, ruling that the economic loss doctrine also would bar the claim under New Jersey law. The district court reasoned that the issuers had contracted with Visa and MasterCard for specific remedies in the event of a data breach, and thus could not bring common law tort claims against another entity involved in the transactions.
The Fifth Circuit reversed, holding that the negligence claim was not barred under New Jersey law and that it was “easily foreseeable” that the card issuers “would be the entities to suffer economic losses were Heartland negligent.” The court also noted that whether the issuers had compensation remedies for losses caused by Heartland’s negligence under the Visa and MasterCard rules and regulations was not clear. Without such remedies, barring the claim would “defy[ ] notions of fairness, common sense and morality.” The court further observed that it was not clear whether Heartland actually had valid contracts with Visa and MasterCard, and even if it did, whether the card issuers had sufficient bargaining power to actually negotiate the allocation of risk in the event of harm caused by Heartland.
The Fifth Circuit remanded the case to the district court for resolution of the choice of law issue and remaining issues on Heartland’s motion to dismiss.
The decision in this case suggests that payment processors should not expect their existing contracts to fully insulate them against tort liability in the event of a data breach—at least in states with an economic loss doctrine similar in scope to New Jersey’s.