The Heartland saga continues and it appears that things are going its way. Not only has the company been on a campaign to make lemons out of lemonade by selling the equipment (“end-to-end” encryption) to their customers (and, presumably others), but at least one shareholder lawsuit was dismissed.
The class-action suit had some interesting information: First, Bob Carr made lots of cash the second half of 2008 – after the 2007 SQL Injection Attack that precipitated the payment card breach. Second, Adam Davis, the class-action representative, bought a whopping 100 shares at about $9 on …. January 28, 2009 – a week after the breach was made public. I don’t understand how Mr. Davis can justify any of this (and it seems like it would be easy to find someone with more significant damages even though it is probably not necessary).
An interesting side note – Heartland had a Deep Throat providing information to the plaintiffs. The judge heavily discounts his/her testimony along with others:
<!– /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:”"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:”Times New Roman”; mso-fareast-font-family:”Times New Roman”;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} –>
According to the Complaint, the only people at Heartland who believed that the company had not adequately addressed the SQL attack were the former Senior Developer quoted above, another Senior Developer named George Duke, and a former Business Analyst. (Id. at 77-83.) Furthermore, none of these people are alleged to have expressed any reservations about security until after the credit card theft was discovered in January 2009. (Id.) This after-the-fact speculation by a handful of lower-level employees does not support the inference that Heartland and its corporate officers were consciously or recklessly dissembling when they stated that the company treated security as one of its central concerns.
And a foreboding final thought worth paying attention to from the judge:
<!– /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:”"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:”Times New Roman”; mso-fareast-font-family:”Times New Roman”;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} –>
It is worth noting that the Complaint at times appears to conflate knowledge of the SQL attack with the belief that Heartland faced ongoing security problems as a result of the attack. Assuming that Defendants were aware of the SQL attack, it does not follow necessarily that they believed that Heartland’s security systems were deficient or that any problems created by the SQL attack had not been addressed. The Complaint contains no allegations—beyond bare awareness of the SQL attack—that support an inference that Defendants believed Heartland had serious ongoing security problems.
I agree wholeheartedly with the judge’s sentiment yet recognize that it is not an easy task, then, to ascertain how to prove a case like this one or any of the others whose outcome favors the defendant. I don’t see how you can do this without objective, comparative measures.