Last month, the United States District Court for the District of Maine certified a question of law to the Supreme Judicial Court of Maine regarding the issue of what constitutes cognizable injury to a consumer in a case stemming from the alleged theft of credit card data, a question of great signficance in the relatively new field of data security law. In re Hannaford Bros. Co. Data Security Breach Litigation, MDL Docket No. 2:08-MD-1954 (D.Me., Oct. 5, 2009).
The Hannaford case resulted from a reported theft of credit card data from a chain of grocery stores. More than two dozen class action lawsuits were brought against the owner of the grocery stores in a variety of state and federal courts; the federal cases were consolidated in the District of Maine. In May of this year, the federal court dismissed the class action, preserving the case as to only one named plaintiff who asserted she had to pay fraudulent charges (other consumer plaintiffs did not claim they had to pay the fraudulent charges). In that May decision, the District Court held under Maine law, consumers whose payment data are stolen can recover against the merchant only if the merchant’s negligence caused a direct loss to the consumer’s account, and other alleged injuries were “collateral consequences” for which the merchant is not liable.
However, on a motion for reconsideration brought by the plaintiffs, the federal court agreed to certify the question regarding cognizable injury to Maine’s highest court. The federal court explained that Maine law is uncertain on the issue. The text of the certified question is as follows:
Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?
Subsequent to the federal court’s Decision and Order, both the plaintiffs and the defendants filed briefs requesting that the text of the certified question be modified.