Home / Blogs

Hannaford Data Breach Plaintiffs Rebuffed in Maine

Venkat Balasubramani

A US District Judge in Maine largely granted a motion to dismiss brought by Hannaford in a big data breach case:

A customers uses a credit or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer them recover from the grocer any loss resulting from third-party data theft?

Short answer - only if there is actual identity theft or unauthorized charges (which are not covered by the credit card company). Access the order here [PDF]. H/t Threat Level.)

Background: According to the court, around March 2008, third parties stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers, and other information relating to cardholders "who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by Hannaford." Visa notified Hannaford in late February 2008. Hannaford discovered the actual breach on March 8, 2008, notified financial institutions on March 10, and the public on March 17.

The Court's Ruling: The court runs through numerous different bases for recovery, ranging from breach of implied contract to implied warranty, breach of duty of confidentiality, strict liability, and negligence. The key conclusion starts on page 30 of the court's 39 page order when the court talks about whether plaintiffs have suffered any cognizable injuries. Here the court splits the plaintiffs up into categories. The first category consists of plaintiffs who have not had any fraudulent charges posted on their accounts. They are out of luck. (Footnote 128 contains a nice listing of recent data breach cases which arrive at the same conclusion — no out of pocket loss >> no recovery.) Not surprisingly, the court concludes that emotional damages are not recoverable in this context. The second category consists of plaintiffs who have had fraudulent charges that have not been reversed or reimbursed. These plaintiffs may recover. The third category consists of plaintiffs who had fraudulent charges which were ultimately reversed. These plaintiffs tried to argue that they had suffered damages in addition to the unauthorized charges (rewards points, time spent tracking down the banks, overdraft charges, and the cost of identity theft insurance). These plaintiffs are out of luck. Somewhat surprisingly, the court rules that overdraft charges arising from a data breach are not "reasonably foreseeable at the time of the point-of-sale transaction." Finally, the court also denies the request for injunctive relief which sought more precise disclosure of the data that was compromised.

Thoughts: A largely expected result, given the slew of cases in the past few years which hold that data breach plaintiffs cannot recover absent actual loss. (The cases all look to state law, although they are in federal court due to diversity or Class Action Fairness Act jurisdiction.) Maine has a data breach notification statute in place, but plaintiffs did not allege that Hannaford violated this statute (and the statute did not seem to allow for a private cause of action anyway). There wasn't much discussion of free credit report monitoring. It's unclear from an initial read as to whether Hannaford offered this or whether plaintiffs requested it. (The court does expressly reject increased identity theft insurance premiums as a category of compensable damages.) At the end of the decision the court speculates, but "make[s] no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers." Finally, in a footnote, the court notes that it's unclear at this point whether plaintiffs can satisfy the jurisdictional requirements for the class action fairness act.

Reg Z?: I'm surprised about one thing. I didn't see much discussion of the rules (I think known as "Reg Z") which govern when credit card companies are required to reverse unauthorized charges. These rules speak to when customers can initiate "charge backs" and how card issuers and merchants should deal with customer chargebacks. (They actually set limits on when customers can be held liable for unauthorized charges.) They would have some bearing — I would think — on whether the customer bears the loss of unauthorized transactions and whether card companies have to eat the loss?

Either way, expect this decision to add fuel to the data breach legislation fire.

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC. Follow Venkat on Twitter here.

Related topics: Cybercrime, Data Center, Law, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Sponsored Topics

Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Verisign

Security

Sponsored by
Verisign