Last week, Heartland Payment Systems announced it had reached a settlement with Visa to benefit card issuers affected by the 2008 data breach. The payment processor will pay up to $60 million to fund the settlement, according to an Associated Press story published at ABC News.
In December, Heartland also reached a $3.6 million settlement with American Express to compensate issuers for the same breach. Miami resident and well-known hacker Alberto Gonzalez was reportedly responsible for the breach, as well as for large data breaches at Hannaford Brothers and TJX in recent years
Tuesday I had the opportunity to speak with Proskauer Rose partner Kristen Mathews, who leads the firm's privacy and data security practice group, about the Visa settlement and how it would work. She explained that the settlement is made with card issuers because they are responsible for issuing new cards to the consumers whose information was compromised, and they are stuck reimbursing the consumers if fraudulent charges are incurred as a result of the breach -- even though the breach happened at Heartland.
The Associated Press piece indicates Visa will notify those issuers able to participate in the settlement by Jan. 14, and they will have until Jan. 29 to opt in. Mathews points out the settlement is a conditional one, which means a certain percentage of issuers must participate if the settlement is to be effective. In this case the magic number is 80 percent participation. If that number of eligible issuers do not choose to participate, Heartland must scrap this settlement and try to come up with a new one, or wait and see what the courts decide as each issuer seeks its own redress.