Home / Blogs

Hannaford Data Breach Plaintiffs Rebuffed in Maine

Venkat Balasubramani

A US District Judge in Maine largely granted a motion to dismiss brought by Hannaford in a big data breach case:

A customers uses a credit or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer them recover from the grocer any loss resulting from third-party data theft?

Short answer - only if there is actual identity theft or unauthorized charges (which are not covered by the credit card company). Access the order here [PDF]. H/t Threat Level.)

Background: According to the court, around March 2008, third parties stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers, and other information relating to cardholders "who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by Hannaford." Visa notified Hannaford in late February 2008. Hannaford discovered the actual breach on March 8, 2008, notified financial institutions on March 10, and the public on March 17.

The Court's Ruling: The court runs through numerous different bases for recovery, ranging from breach of implied contract to implied warranty, breach of duty of confidentiality, strict liability, and negligence. The key conclusion starts on page 30 of the court's 39 page order when the court talks about whether plaintiffs have suffered any cognizable injuries. Here the court splits the plaintiffs up into categories. The first category consists of plaintiffs who have not had any fraudulent charges posted on their accounts. They are out of luck. (Footnote 128 contains a nice listing of recent data breach cases which arrive at the same conclusion — no out of pocket loss >> no recovery.) Not surprisingly, the court concludes that emotional damages are not recoverable in this context. The second category consists of plaintiffs who have had fraudulent charges that have not been reversed or reimbursed. These plaintiffs may recover. The third category consists of plaintiffs who had fraudulent charges which were ultimately reversed. These plaintiffs tried to argue that they had suffered damages in addition to the unauthorized charges (rewards points, time spent tracking down the banks, overdraft charges, and the cost of identity theft insurance). These plaintiffs are out of luck. Somewhat surprisingly, the court rules that overdraft charges arising from a data breach are not "reasonably foreseeable at the time of the point-of-sale transaction." Finally, the court also denies the request for injunctive relief which sought more precise disclosure of the data that was compromised.

Thoughts: A largely expected result, given the slew of cases in the past few years which hold that data breach plaintiffs cannot recover absent actual loss. (The cases all look to state law, although they are in federal court due to diversity or Class Action Fairness Act jurisdiction.) Maine has a data breach notification statute in place, but plaintiffs did not allege that Hannaford violated this statute (and the statute did not seem to allow for a private cause of action anyway). There wasn't much discussion of free credit report monitoring. It's unclear from an initial read as to whether Hannaford offered this or whether plaintiffs requested it. (The court does expressly reject increased identity theft insurance premiums as a category of compensable damages.) At the end of the decision the court speculates, but "make[s] no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers." Finally, in a footnote, the court notes that it's unclear at this point whether plaintiffs can satisfy the jurisdictional requirements for the class action fairness act.

Reg Z?: I'm surprised about one thing. I didn't see much discussion of the rules (I think known as "Reg Z") which govern when credit card companies are required to reverse unauthorized charges. These rules speak to when customers can initiate "charge backs" and how card issuers and merchants should deal with customer chargebacks. (They actually set limits on when customers can be held liable for unauthorized charges.) They would have some bearing — I would think — on whether the customer bears the loss of unauthorized transactions and whether card companies have to eat the loss?

Either way, expect this decision to add fuel to the data breach legislation fire.

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC. Follow Venkat on Twitter here.

Related topics: Cybercrime, Data Center, Law, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

Sponsored Topics