1st Circuit: Hannaford Breach Plaintiffs May Recover Some Costs

Published On October 24, 2011 | By Lisa Branco | Data Security, General, Litigation
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On Oct. 20, 2011, the First Circuit Court of Appeals partially reversed the district court’s decision dismissing some plaintiffs’ claims in the class action lawsuit stemming from the 2008 Hannaford Bros. (“Hannaford”) data breach.  In its opinion, the First Circuit stated that under Maine law, certain costs plaintiffs incurred to mitigate potential harm from the breach were “reasonably foreseeable” and thus potentially recoverable.  These include the cost of replacing payment cards not replaced by their banks and the cost of insurance against fraudulent payment card charges.  The decision is notable because prior courts have ruled that such costs were not recoverable in data breach situations.[1]

Forensic evidence revealed that hackers breached Hannaford’s systems in December 2007.  Hannaford was notified of the breach on February 27, 2008 by one of the credit card companies and began investigating the activity.  Hannaford notified certain financial institutions of the breach on March 10, 2008, and made a public announcement regarding the breach on March 17, 2008.  Hannaford stated that up to 4.2 million debit and credit card numbers had been compromised, and that over 1,800 reports of fraudulent charges resulting from the compromise had already been reported.  Multiple plaintiffs filed lawsuits, which were consolidated into one class action suit in the federal court in the district of Maine.

In May 2009, the district court dismissed the claims of all but one plaintiff who had not been reimbursed for fraudulent charges on her card that was compromised during the breach.  The court held that the other plaintiffs failed to state claims under Maine state law for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach, and though plaintiffs adequately alleged breach of implied contract, negligence, and violation of the Maine Unfair Trade Practices Act, the plaintiffs’ alleged injuries were too unforeseeable and speculative to be recognizable under Maine law.

The First Circuit affirmed the court’s dismissal of most of the claims by the plaintiffs, but it overruled the dismissal of the negligence and implied contract claims, stating that “plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law.”  In its discussion, the court noted that under Maine negligence law, damages must be “reasonably foreseeable” and not barred by Maine for other policy reasons.  While negligence normally requires “proof of personal injury or property damage,” Maine courts have said that though “reasonable foreseeability” may have limits for most types of physical harm, there is “virtually no limit on liability for nonphysical harm” and Maine courts may consider “relevant policy considerations such as ‘societal expectations regarding behavior and individual responsibility in allocating risks and costs’” Maine courts have also stated that plaintiffs may “recover for costs and harms incurred during a reasonable effort to mitigate” the harms threatened, and that whether the decision to mitigate was reasonable should be judged “at the time it was made.”

Accordingly, the court examined plaintiffs’ actions in light of the breach to determine whether those actions, when taken at the time plaintiffs learned of the breach, were reasonable efforts to mitigate potential harm from the breach.  The court held that plaintiffs’ mitigation costs for replacing compromised cards and purchasing insurance protecting against further misuse of credit or debit cards were reasonably foreseeable actions under the Maine statute, citing the following facts:

(i) The Hannaford case involved actual misuse of data and multiple fraudulent charges to customer accounts, which meant the “card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse;”

(ii) There was no way to predict which customers’ accounts would be used for fraudulent purposes, meaning that all Hannaford customers using credit or debit cards during the class period were at risk of unauthorized charges; and

(iii) Many banks or other card issuers immediately issued new cards once they received notice of the breach, which provided evidence that replacing cards was a reasonable attempt at mitigation.

While the opinion could pave the way for data breach plaintiffs to recover certain costs, it is important to note that the court was careful to distinguish the facts in the Hannaford case from various prior data breach cases cited by Hannaford in its opposition, including:

  • Cases involving data breaches caused by the theft of laptops or other data storage media.  The court stated that in those cases, plaintiffs failed to allege that the persons stealing the media were motivated by a desire to access the data and there was no evidence that the thieves accessed the information.[2]
  • A case involving a computer hard drive that was inadvertently lost. The court stated that in contrast to the Hannaford case, there was no evidence that a third party had accessed the information.[3]
  • Cases in which hackers accessed personal information, but plaintiffs failed to allege that they or any other member of the class had been the victim of identity theft as a result of the breach.[4]

The court was also careful to note Hannaford’s argument that because plaintiffs did not allege that any personally identifiable information (“PII”) was compromised as a result of the breach, there was “no reasonable basis” for one of the plaintiffs to have bought identity theft insurance. The court recognized that the product purchased was actually insurance against the consequences of further misuse of plaintiff’s card information compromised during the breach, and that in the motion to dismiss stage, the court drew “all reasonable inferences in favor of the plaintiff.”  This point is an important one, as the credit monitoring and identity theft insurance services often offered to customers by companies who have had data breaches are designed to protect consumers from identity theft, which is very unlikely to result from the compromise of an individual’s debit or credit card number absent any other PII needed to establish financial accounts, such as a Social Security number.  This is illustrated by the fact that in three of the five proposed federal data breach bills currently before Congress that would require companies to offer affected individuals credit monitoring services after a data breach, there is an exemption for cases involving only the compromise of an individual’s credit or debit card number.  However, despite the court’s efforts to distinguish the case from prior data breach cases, the ruling is likely to receive a great deal of attention from plaintiffs’ attorneys and others.

A full copy of the opinion can be found here.

[1] See, e.g., Allison v. Aetna, Inc., ___ F.Supp.2d ___ (E.D. Pa. March 8, 2010) [Slip Op.]; Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397, 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk et al. v. Tri-West Health Care, 254 Fed. Appx. 664 (9th Cir. 2007); Ponder v. Pfizer Inc., 522 F. Supp. 2d 793 (M.D. La. 2007); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Key v. DSW, Inc., 454 F.Supp.2d 684 (S.D. Ohio, Sept. 27, 2006).; Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006);  Guin v. Brazos Higher Ed. Service Corp., 2006 WL 288483 (D. Minnesota, February 7, 2006); Stollenwerk v. TriWest Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).

[2] Ruiz v. Gap, 622 F.Supp.2d 908 (N.D. Cal 2009); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp.2d 273 (S.D.N.Y. 2008); Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D. Ohio 2007); Randolph v. ING Life Ins.& Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007).

[3] Melancon v. La. Office of Student Fin. Assistance, 587 F.Supp.2d 873 (E.D. La. 2008).

[4] Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775 (W.D. Mich. 2006).