Court dismisses lawsuit in merchant data breach case

23.06.2006
Security analysts have for some time now been warning that companies could find themselves becoming targets of costly lawsuits for information security failures. But so far at least, it has been mostly the plaintiffs who've lost the few cases taken to court.

The latest example is a U.S. District Court's decision late last week to throw out a lawsuit filed by the Pennsylvania State Employees Credit Union (PSECU) against Fifth Third Bancorp. of Cincinnati.

The Harrisburg-based PSECU hoped to recover US$100,000 it spent on cancelling and reissuing 235,000 Visa credit cards compromised in a security breach at BJ's Wholesale Club of Natick, Mass. in 2004.

PSECU had argued that Fifth Third was liable for the costs because it was the bank responsible for processing card transactions for BJs and should have ensured the merchant was complying with Visa's security requirements.

PSECU's original lawsuit for breach of contract and negligence also included BJ's. But all of PSECU's claims against BJ's and three of its claims against Fifth Third bank were dismissed last October by the court in Harrisburg.

The same court threw out the one remaining claim against Fifth Third last Friday, saying that PSECU wasn't a third-party beneficiary to the contract between Fifth Third and Visa and was therefore not entitled to seek any card reissuance costs.