Heartland Payment Systems filed its annual Form 10-K report with the Securities and Exchange Commission yesterday. The Legal Proceedings section lists all of the consumer, financial institution and stockholder lawsuits against it, and also indicates that it is under investigations in addition to ones previously reported:
[…]
We have been advised by the SEC that it has commenced an informal inquiry, and we have been advised by the United States Attorney for the District of New Jersey that it has commenced an investigation, in each case to determine whether there have been any violations of the federal securities laws in connection with our disclosure of the Processing Systems Intrusion and the alleged trading in our securities by certain of our employees, including certain executive officers.
We have been contacted by the Federal Financial Institutions Examination Council and informed that it will be making inquiries into the Processing System Intrusion, and the Federal Trade Commission, by letter dated February 19, 2009, has requested that we provide information about our information security practices. Additionally, we have received written or telephonic inquiries relating to the Processing System Intrusion from a number of state Attorneys General’s offices, including a Civil Investigative Demand from the Louisiana Department of Justice Office of the Attorney General, the Canadian Privacy Commission, and other government officials. We are cooperating with the government officials in response to each of these inquiries. We expect that additional lawsuits may be filed against us relating to the Processing System Intrusion and that additional inquiries from governmental agencies may be received or investigations may be commenced.
The report also provides some additional detail on how Heartland’s sponsoring banks may try to recoup any fines and that they anticipate that other card brands may also impose fines:
Although we intend to defend the lawsuits, investigations and inquiries described above vigorously, we cannot predict the outcome of such lawsuits, investigations and inquiries . Apart from damages claimed in such lawsuits and in other lawsuits relating to the Processing System Intrusion that may be filed, we may be subject to fines or other obligations as a result of the government inquiries and investigations described above and additional governmental inquiries or investigations relating to the Processing System Intrusion that may be commenced. The card brands may also assert claims seeking to impose fines, penalties, and/or other assessments against us or our sponsor banks (who would seek indemnification from us pursuant to our agreements with them) based upon the Processing System Intrusion. In that regard, we have been advised by Visa that based on Visa’s investigation of the Processing System Intrusion Visa believes we are in violation of the Visa Operating Regulations and that, based on that belief, Visa has removed us from Visa’s published list of PCI-DSS compliant service providers until such time as we are re-certified as PCI-DSS compliant and the assessor’s report attesting to such re-certification has been reviewed and approved by Visa, intends to seek to impose fines on our sponsor banks, which fines (if successfully imposed) our sponsor banks could in turn seek to recover from us, intends to place us in a “probationary status” during the two years following our re-certification as being PCI-DSS compliant, during which time our failure to comply with the probationary requirements set forth by Visa or with the Visa Operating Regulations may result in Visa seeking to impose further risk conditions on us, including but not limited to our disconnection from VisaNet or our disqualification from the Visa payment system, and intends to treat some or all of the Visa accounts that Visa considers to have been placed at risk of compromise in the Processing System Intrusion as being eligible for Visa’s “Account Data Compromise Recovery” and “Data Compromise Recovery Solution” processes, which processes could result in Visa’s seeking to recover from our sponsor banks (and our sponsor banks in turn seeking to recover from us) amounts in respect of fraud losses and operating expenses that Visa believes Visa issuers to have incurred by reason of the Processing System Intrusion. We expect the other Card Brands will assert claims seeking to impose fines, penalties, and/or other assessments against us or our sponsor banks (who would seek indemnification from us pursuant to our agreements with them) based upon the Processing System Intrusion. By these claims, we expect the other Card Brands to seek to recover from us, or from our sponsor banks (who would in turn seek to recover from us), assessments in respect of fraud losses and operating expenses (including card reissuance costs and non-ordinary-course account monitoring expenses) that the other Card Brands believe either themselves or their issuers to have incurred by reason of the Processing System Intrusion, as well as fines and/or penalties by reason of our alleged failure to comply with the other Card Brands’ operating regulations. The amounts of the Card Brand claims described above are expected to be material, and the amounts we are required to pay to defend against and/or resolve those claims could have a material adverse effect on our results of operations and financial condition.