When you go to the grocery store, chances are you’re thinking about the ripeness of the produce, not data security breaches. That is, unless you’re one of the 4.2 million Hannaford Brothers grocery-store shoppers whose credit/debit card numbers and security information was hijacked by hackers over the course of four months. After disclosing the breach to their patrons, Hannaford Bros. Co. was faced with several different class action lawsuits. These lawsuits were filed by customers who alleged damages from fraudulent charges and by individuals who had incurred costs from purchasing credit insurance or had bought new cards.
Cases of this type usually follow a predictable pattern. In order to receive compensation, customers must show a completed financial transaction resulting directly from the data breach. Those who take on costs to alleviate the risks of any future damages must take on those costs themselves; the merchant is not responsible. While most recent data breaches have resulted from a lost smartphone or stolen laptop, these thieves used sophisticated tactics to gain access to Hannaford’s payment processing system and steal this precious data. This simple fact, changed the entire complexion of the case.
On October 20, 2011, the U.S. First Circuit Court of Appeals, handed down a ruling on Anderson v. Hannaford Bros. Co., supporting the claims of the plaintiffs who had taken it upon themselves to protect themselves from future damages. This decision potentially changes the steps organizations will take in order to protect such sensitive data. With more on the subject, here is some insight from our authors on the LexBlog Network.
Starting off with an overview of the case, Theodore Kobus of Baker Hostetler offers up the details of the case before it hit the First Circuit’s dockett, and what companies should take away from the case’s reversal on the firm’s blog, Data Privacy Monitor:
“The Hannaford Brothers supermarket chain suffered a data breach between December, 2007 and March, 2008 where hackers accessed over 4M credit and debit card numbers. Several class action lawsuits were filed and combined. Consistent with several other prior data breach class action lawsuit decisions, U.S. District Court for the District of Maine Judge Hornby concluded that “[u]nder Maine law . . . if the negligence does not produce [a] completed direct financial loss and instead causes only collateral consequences—for example, the customer’s fear that a fraudulent transaction might happen in the future, the consumer’s expenditure of time and effort to protect the account, loss opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships—then the merchant is not liable.” Judge Hornby ultimately dismissed the claims brought by all customers except those who were not reimbursed for fraudulent charges.
Organizations should still take data security issues seriously because even if no class action lawsuit follows a breach, the expense and effort required to respond to a data breach can be staggering. Moreover, we are now seeing increased opportunities for a class action lawsuit to reach the discovery phase where organizations will be tested for their vigilance in using best practices to prevent, and respond to, a data breach.”
Following suit, Dan Kahn of Inside Privacy, a Covington & Burlington-run blog, picks up where Theodore left off, and follows the case as it worked its way through the appellate system:
“The federal district judge who initially reviewed the case held that the plaintiffs whose fraudulent charges had been paid did not suffer any reasonably foreseeable economic damages, and therefore could not possibly recover anything for their claims under Maine law. However, in a motion for reconsideration, the plaintiffs convinced the district judge that Maine law was ambiguous as to whether Maine law permitted recovery for the plaintiffs’ time, effort, and stress (as opposed to monetary loss) involved with the fraudulent charges. As a result, the district judge sought the opinion of the Supreme Judicial Court of Maine, the state’s highest court. The Maine high court answer that the plaintiffs had to show a “legal injury,” such as economic harm, rather than merely cost in terms of time or effort. The district court then dismissed the case because in its view recovery based on both economic loss and time/effort were foreclosed.
The plaintiffs then appealed to the First Circuit Court of Appeals, where the focal point returned to whether the plaintiffs had alleged any reasonably foreseeable economic losses. Disagreeing with the district court’s earlier decisions, the court of appeals held that the plaintiffs had alleged two forms of monetary loss sufficient to continue with their claims: (1) the cost of replacing their credit and debit cards, and (2) the cost of credit insurance obtained in response to the breach.”
On Privacy & Security Matters, a Mintz Levin production, Kevin McGinty discusses what makes this case different from other security-related litigation, and why the First Circuit reversed the ruling:
“In this particular case, the data theft was the result of a sophisticated criminal enterprise that had targeted the Hannaford system with the express purpose of obtaining credit card and debit card numbers in order to incur fraudulent charges. Therefore, the First Circuit deemed it reasonable for plaintiffs to expend money to purchase credit insurance or new credit cards. In so ruling the court distinguished other cases that had found such expenditures to be unreasonable in circumstances involving theft of laptops or other types of computer equipment, in which the loss of data was not associated with a deliberate attempt to perpetrate credit card fraud. InHannaford, the First Circuit concluded that the explicit targeting of the payment system for purposes of using the credit and debit card numbers made it reasonable for plaintiffs to take steps to protect against such misuse. Although other cases had held that targeted theft of credit card data did not permit mitigation costs to be treated as cognizable damages, the First Circuit distinguished those cases on the ground that none involved allegations that any plaintiffs had suffered identity theft or actual misuse of credit card numbers, whereas plaintiffs allege that such misuse did occur inHannaford and that the they were aware that it had occurred.”
Lastly, David Navetta, a founding partner of the Information Law Group, has a comprehensive analysis of the case, complete with extensive coverage regarding the future of data breach lawsuits as it pertains to this case:
“Early Stages. Readers must be reminded that even if the negligence and implied contract claims are allowed to proceed, we are only at the pleading stage. It may be possible for Hannaford to win on a motion for summary judgment, the issue of class certification and at trial
Class Certification Difficulties. Even if certain individual plaintiffs are able to allege negligence and implied contract claims, they may not be able to certify a class action if there is not sufficient commonality between the class members. Class certification is the wild card at this point. It is one thing to have a handful of plaintiffs individually suing for relatively small amounts, and quite another to have a large class doing the same.
U.S. Supreme Court. While there may be differences between various decisions that may preclude a conflict, it now appears that we have a split between U.S. Courts of Appeal. On one side we have the 7th and 9th Circuits throwing data breach lawsuits out due to lack of cognizable harm. On the other we have the 1st Circuit going the opposite direction for some damage elements. Will the U.S. Supreme Court have to weigh in to resolve the split?
Other Mitigation Damages? What other costs might constitute recoverable mitigation damages? The threshold is reasonableness, and it does not necessarily appear that the plaintiff needs to be aware of actual harm or misuse of personal information (although it helps the reasonableness argument if they are). We have had regulators ask our clients to offer to pay for fraud alerts after a data breach – might the cost of a fraud alert also equal a recoverable mitigation damage element? There are probably other similar costs that creative plaintiff lawyers will come up with.”
This case is particularly interesting because of the long-term implications for corporations. The Hannaford decision increases the scope of their liability. If corporations are responsible for the costs that come with their customers purchasing credit fraud insurance due to a data breach, then their focus on preventative security measures will undoubtedly increase. This, coupled with the new SEC guidelines on disclosing cybersecurity risks and attacks is a clear indication that the landscape of corporate responsibilities is shifting.