Home / Blogs

Hannaford Data Breach Plaintiffs Rebuffed in Maine

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Venkat Balasubramani

A US District Judge in Maine largely granted a motion to dismiss brought by Hannaford in a big data breach case:

A customers uses a credit or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer them recover from the grocer any loss resulting from third-party data theft?

Short answer - only if there is actual identity theft or unauthorized charges (which are not covered by the credit card company). Access the order here [PDF]. H/t Threat Level.)

Background: According to the court, around March 2008, third parties stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers, and other information relating to cardholders "who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by Hannaford." Visa notified Hannaford in late February 2008. Hannaford discovered the actual breach on March 8, 2008, notified financial institutions on March 10, and the public on March 17.

The Court's Ruling: The court runs through numerous different bases for recovery, ranging from breach of implied contract to implied warranty, breach of duty of confidentiality, strict liability, and negligence. The key conclusion starts on page 30 of the court's 39 page order when the court talks about whether plaintiffs have suffered any cognizable injuries. Here the court splits the plaintiffs up into categories. The first category consists of plaintiffs who have not had any fraudulent charges posted on their accounts. They are out of luck. (Footnote 128 contains a nice listing of recent data breach cases which arrive at the same conclusion — no out of pocket loss >> no recovery.) Not surprisingly, the court concludes that emotional damages are not recoverable in this context. The second category consists of plaintiffs who have had fraudulent charges that have not been reversed or reimbursed. These plaintiffs may recover. The third category consists of plaintiffs who had fraudulent charges which were ultimately reversed. These plaintiffs tried to argue that they had suffered damages in addition to the unauthorized charges (rewards points, time spent tracking down the banks, overdraft charges, and the cost of identity theft insurance). These plaintiffs are out of luck. Somewhat surprisingly, the court rules that overdraft charges arising from a data breach are not "reasonably foreseeable at the time of the point-of-sale transaction." Finally, the court also denies the request for injunctive relief which sought more precise disclosure of the data that was compromised.

Thoughts: A largely expected result, given the slew of cases in the past few years which hold that data breach plaintiffs cannot recover absent actual loss. (The cases all look to state law, although they are in federal court due to diversity or Class Action Fairness Act jurisdiction.) Maine has a data breach notification statute in place, but plaintiffs did not allege that Hannaford violated this statute (and the statute did not seem to allow for a private cause of action anyway). There wasn't much discussion of free credit report monitoring. It's unclear from an initial read as to whether Hannaford offered this or whether plaintiffs requested it. (The court does expressly reject increased identity theft insurance premiums as a category of compensable damages.) At the end of the decision the court speculates, but "make[s] no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers." Finally, in a footnote, the court notes that it's unclear at this point whether plaintiffs can satisfy the jurisdictional requirements for the class action fairness act.

Reg Z?: I'm surprised about one thing. I didn't see much discussion of the rules (I think known as "Reg Z") which govern when credit card companies are required to reverse unauthorized charges. These rules speak to when customers can initiate "charge backs" and how card issuers and merchants should deal with customer chargebacks. (They actually set limits on when customers can be held liable for unauthorized charges.) They would have some bearing — I would think — on whether the customer bears the loss of unauthorized transactions and whether card companies have to eat the loss?

Either way, expect this decision to add fuel to the data breach legislation fire.

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC. Follow Venkat on Twitter here.

Related topics: Cybercrime, Cybersecurity, Data Center, Law

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA