During Heartland Payment Systems (HPY) quarterly Earnings conference call, CFO and President Robert Baldwin revealed that Heartland is indeed under SEC investigation, although exactly why they are being investigated has not been released.
Company President and Chief Financial Officer Robert Baldwin Jr. disclosed the investigations during Heartland’s quarterly conference call with investigators (sic) Tuesday, saying that the SEC had launched an informal inquiry into the company and that there is also a related investigation by the Department of Justice. The U.S. Department of the Treasury’s Office of the Comptroller of the Currency (OCC), which regulates national banks and their service providers, has launched an inquiry, as has the FTC, he said.
Reached Wednesday, a Heartland spokesman could not say why the SEC was investigating the company.
However, the investigation may relate to stock trades made by Heartland Chairman and CEO Robert Carr after Visa notified Heartland of suspicious activity on Oct. 28, 2008. According to insider trade filings, Carr sold just under US$8 million worth of stock between Oct. 29 and the day the breach was disclosed. Heartland’s stock was trading in the $15-to-$20 range for most of these transactions, but it dropped following the breach disclosure. It closed Wednesday at $5.49.
This is trenchant to my January 29 analysis raising the possibility that knowledge of the 2008 information breach may have influenced stock trades by Heartland CEO Robert O. Carr.
The article prompted an email response directly to me from Heartland’s outside counsel, in which they categorically denied any illicit trading activity on the part of Carr:
At the time of this announcement, Mr. Carr was not under any trading restrictions pursuant to the company’s insider trading policy and was not in possession of any material non-public information concerning the company. Under this 10b5-1 plan, programmed sales of company stock were made on Mr. Carr’s behalf, and he had no discretion regarding the timing or other aspects of those sales.
Although he was not required to do so, Mr. Carr terminated his 10b5-1 when the company confirmed the security breach it disclosed in the company’s press release of January 20, 2009. As has been reported, Heartland first learned of a potential problem from the card associations on October 28th of last year, well after the announcement of this 10b5-1 plan. Heartland categorically denies that Mr. Carr was aware of a potential security breach at the time he adopted his trading plan.
As CEO of the sixth largest payment card processor, I would hope that Carr would at times possess some non-public information on the company he built, but that is a topic for a different discussion on overall CEO performance levels and our failing economy.
Here is the time line of the breach and Carr’s trades so far:
May 14, 2008: Breach reported to have beganMay 20, 2008 Carr Makes first stock sale of the year, 2695 sharesAugust (first week), 2008: CEO Robert Carr’s 10b5-1 is proposedAugust 8, 2008: Board approves 10b5-1 planAugust 8 - August 14, 2008: Carr makes six separate sales of stocks totalling 60,000 sharesAugust 19, 2008: Breach reported to have endedAugust 28, 2008: Carr sells 80,000 sharesSeptember 3, 2008: Carr sells 80,000 sharesSeptember 17, 2008: Carr sells 80,000 sharesOctober 15, 2008: Carr sells 80,000 sharesOctober 28, 2008: Visa and MasterCard notify Heartland of problems; Carr sells 80,000 sharesNovember 6, 2008: Carr sells 80,000 sharesNovember 20, 2008: Carr sells 80,000 sharesDecember 11, 2008: Carr sells 80,000 sharesDecember 26, 2008: Carr sells 42,900 sharesJanuary 7, 2009: Carr sells 80,000 sharesJanuary 12, 2009: Carr suspends his 10b5-1 stock selling planJanuary 20, 2009: Breach AnnouncedSources: (http://www.secform4.com/insider-trading/1144354.htm)(http://www.2008breach.com/)
Revelations that the SEC is investigating the stock trades comes on top of class action lawsuits spurred by the breach, as well as a steady decline in stock price.
Heartland has also been hit with a class-action lawsuit relating to the breach, which was publicly disclosed on Jan. 20. “We may, in the future, be subjected to other governmental inquiries and investigations,” Baldwin said during the call. “We intend to vigorously defend any claims asserted against us.”
An unofficial transcript of Heartland’s call can be found here.
The Heartland breach, which has now affected more than 500 banks across the country, leaving an untold number of consumers at risk of financial identity theft and Heartland stakeholders with a loss exceeding 50% in about one month’s time.
There is also another undisclosed breach which we are hearing about. The breach itself has already been confirmed by Visa, and it is possible the breach will exceed Heartland in size.
Our team has been predicting that 2009 will be the year that InfoSec moves to the forefront of the economic crisis with Homeland Security implications. We believe the somewhat obscure issue will be as familiar to the American public as the notorious subprime and pay option ARMs have in the last year or two.
Much like the meltdown of the mortgage industry, the revelations of lax governance in the handling of sensitive and private data will likely shock the public and the business community alike, and those revelations are bound to come all too painfully slow, especially for shareholders.
The data loss debacle at Heartland highlights the fact that the failure to secure information is the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.
More updates to follow.