Home / Blogs

Hannaford Data Breach Plaintiffs Rebuffed in Maine

Venkat Balasubramani

A US District Judge in Maine largely granted a motion to dismiss brought by Hannaford in a big data breach case:

A customers uses a credit or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer them recover from the grocer any loss resulting from third-party data theft?

Short answer - only if there is actual identity theft or unauthorized charges (which are not covered by the credit card company). Access the order here [PDF]. H/t Threat Level.)

Background: According to the court, around March 2008, third parties stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers, and other information relating to cardholders "who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by Hannaford." Visa notified Hannaford in late February 2008. Hannaford discovered the actual breach on March 8, 2008, notified financial institutions on March 10, and the public on March 17.

The Court's Ruling: The court runs through numerous different bases for recovery, ranging from breach of implied contract to implied warranty, breach of duty of confidentiality, strict liability, and negligence. The key conclusion starts on page 30 of the court's 39 page order when the court talks about whether plaintiffs have suffered any cognizable injuries. Here the court splits the plaintiffs up into categories. The first category consists of plaintiffs who have not had any fraudulent charges posted on their accounts. They are out of luck. (Footnote 128 contains a nice listing of recent data breach cases which arrive at the same conclusion — no out of pocket loss >> no recovery.) Not surprisingly, the court concludes that emotional damages are not recoverable in this context. The second category consists of plaintiffs who have had fraudulent charges that have not been reversed or reimbursed. These plaintiffs may recover. The third category consists of plaintiffs who had fraudulent charges which were ultimately reversed. These plaintiffs tried to argue that they had suffered damages in addition to the unauthorized charges (rewards points, time spent tracking down the banks, overdraft charges, and the cost of identity theft insurance). These plaintiffs are out of luck. Somewhat surprisingly, the court rules that overdraft charges arising from a data breach are not "reasonably foreseeable at the time of the point-of-sale transaction." Finally, the court also denies the request for injunctive relief which sought more precise disclosure of the data that was compromised.

Thoughts: A largely expected result, given the slew of cases in the past few years which hold that data breach plaintiffs cannot recover absent actual loss. (The cases all look to state law, although they are in federal court due to diversity or Class Action Fairness Act jurisdiction.) Maine has a data breach notification statute in place, but plaintiffs did not allege that Hannaford violated this statute (and the statute did not seem to allow for a private cause of action anyway). There wasn't much discussion of free credit report monitoring. It's unclear from an initial read as to whether Hannaford offered this or whether plaintiffs requested it. (The court does expressly reject increased identity theft insurance premiums as a category of compensable damages.) At the end of the decision the court speculates, but "make[s] no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers." Finally, in a footnote, the court notes that it's unclear at this point whether plaintiffs can satisfy the jurisdictional requirements for the class action fairness act.

Reg Z?: I'm surprised about one thing. I didn't see much discussion of the rules (I think known as "Reg Z") which govern when credit card companies are required to reverse unauthorized charges. These rules speak to when customers can initiate "charge backs" and how card issuers and merchants should deal with customer chargebacks. (They actually set limits on when customers can be held liable for unauthorized charges.) They would have some bearing — I would think — on whether the customer bears the loss of unauthorized transactions and whether card companies have to eat the loss?

Either way, expect this decision to add fuel to the data breach legislation fire.

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC. Follow Venkat on Twitter here.

Related topics: Cybercrime, Data Center, Law, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

The Emotional Cost of Cybercrime

Why I Wrote 'Thinking Security'

Regulation and Reason

In Network Security Design, It's About the Users

Zero Rating, a Poisoned Chalice for the Developing World

Related News


Industry Updates – Sponsored Posts

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

Sponsored Topics