April 03, 2012
Data Security Breach Settlement Class of 130M Individuals Has 11 Claimants (at a Cost of $160k Per)--In re Heartland Payment Systems
By Eric Goldman
In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2012 WL 948365 (S.D. Tex. March 20, 2012). The settlement website.
[Note: I know that many big-scale class action lawsuits have similarly mockable numbers. But I thought the obvious dysfunction of this litigation was still worth deconstructing.]
At some point, I think all of those in the information security litigation industry (both plaintiff and defense) have to ask themselves--am I part of the solution, or part of the problem? I wonder that question even more after seeing the enormous transaction costs in providing de minimis relief in a case like this. Guys, what are we doing here?
Heartland is a payment-card processor. In 2007, it got hacked. The hackers got 130M credit card numbers and expiration dates, plus some cardholder names, but it didn't get mailing addresses, so the credit card numbers couldn't be used online. Heartland publicly announced the hack in 2009. Heartland preliminarily settled the lawsuits by promising to pay at least $1M to verified victims or (if not enough claims were made) to "non-profit organization(s) dedicated to the protection of consumers' privacy rights, with emphasis on advancing the implementation of end-to-end encryption of payment card authorization transactions or similar security enhancements." The named organizations are Smart Card Alliance, the Secure POS Vendor Alliance, and the Financial Services Information Sharing Analysis Center.
For sending a settlement notice, Heartland couldn't provide individual addresses because it's a payment processor, not an issuing bank. Nevertheless, advertising about the settlement allegedly "reached at least 81.4% of potential Settlement Class Members an estimated 2.5 times."
Class members tendered 290 claims, of which "Heartland estimated that perhaps 11 of those claims were valid." At a maximum payout of $175, the maximum amount of cash going to class members is less than $2k. Accordingly, effectively the entire $1M is going to cy pres, not class members. To be clear, Heartland was paying cold hard cash to affected consumers instead of issuing a coupon, but the response rates were worse than typical coupon settlements--by my math, a 0.00000846153846153846% response rate.
The opinion indicates Heartland spent $1.5M to advertise the settlement. Thus, it appears they spent over $130,000 to generate each legitimate claim. Surprisingly, the court blithely treats the $1.5M expenditure as a cost of doing business, but I can't wrap my head around it. What an obscene waste of money! Add in the $270k spent on claims administration, and it appears that the parties spent $160k per legitimate claimant. The court isn't bothered by the $270k expenses either, even though that cost about $1k per tendered claim (remember, there were 290 total claims).
Now, there are a lot of possible explanations why there was such a low response rate: maybe the hackers didn't actually capture any useful data; maybe the hackers didn't misuse the data they got; maybe the credit card companies' fraud detection systems screened out any bogus charges; maybe consumers never noticed bogus charges; maybe consumers did notice bogus charges but never saw the news about the settlement; maybe the hassle of pursuing the settlement wasn't worth the payoff or consumers couldn't figure out how to tender their claims. But whatever happened, neither plaintiffs' counsel nor anyone cheering for more information security enforcement can be particularly impressed by the minuscule response rate. It's a pretty good indicator of at least one deep structural problem with this litigation.
The court makes plaintiffs' counsel take a small haircut for their failure to deliver real value to the class. The parties had computed an attorneys' fee payoff of $725k predicated on a settlement value of $4.85M. After discounting the case value due to the cy pres payments, the court adjusts the attorneys' fee award down to a little over $600k. Still, the plaintiffs' counsel claimed they spent less than 2,000 hours on the case, so they got about $300 per average hour spent on the case--a pretty good overall rate when considering the number surely includes a good number of cheap junior associates and paralegals.
I have a forthcoming paper on privacy class action lawsuits (I'll be posting it soon) that will explicate some serious problems with class actions as a way of remediating privacy breaches. I carved out security breach litigation from the paper, but a case like this makes me wonder what in the world we're doing. As I discuss in my forthcoming paper, maybe the greater social ends justify the means, but examined in isolation, this mechanism looks horrible. In the end, to pay out $2k of actual relief to 11 people, Heartland paid over $2M in attorneys' fees and other transactions costs. Surely I'm not the only one bothered by this...am I?
Posted by Eric at April 3, 2012 12:16 PM | Privacy/Security
TrackBack URL for this entry: