A federal appeals court has held in a recent case that consumers whose credit and debit card data was allegedly stolen when a national grocery store chain’s electronic payment processing system was breached may move forward with a lawsuit against the grocery store chain. The October 20 ruling from the U.S. Court of Appeals for the First Circuit held that the consumers have adequately stated claims under Maine law based on negligence and implied contract to move forward with the case. The court affirmed a lower court ruling that the grocery store chain did not owe a fiduciary duty to maintain the confidentiality of payment card data and that the consumers failed to adequately state a claim under a state consumer protection law. The lower court had also held that the consumers did adequately state claims that the grocery store chain negligently failed to take reasonable care to protect the payment card data and that a jury could find an implied contract between the consumers and the grocery store chain that the grocer would take reasonable measures to protect the payment card data. However, while the lower court had held that the consumers’ alleged injuries for negligence and breach of implied contract were too unforeseeable, the appeals court disagreed and held that it was reasonably foreseeable that consumers who found out that their payment card data had been stolen would replace the cards in order to mitigate the risk of misuse of the data, thereby incurring replacement costs, and purchase credit monitoring services and identity theft insurance.
Nutter Notes: The case is significant because, among other reasons, many banks’ agreements with data processing vendors obligate the bank to indemnify the vendor for liability the vendor may suffer to third parties including the bank’s customers (for example, arising out of a data security breach by the vendor) even in circumstances where the vendor is negligent and the bank is not. If a consumer action were brought against a data processing company following a data security breach similar to the one at issue in this case, banks could be exposed to liability even though the banks themselves might not be at fault. It was widely reported that the data security breach at issue in this case affected up to 4.2 million cards used at the grocery store chain in New England and in Florida, and that many financial institutions reissued credit and debit cards to affected consumers whether or not there was evidence of actual fraudulent use of the payment card data. The fact that many financial institutions reissued payment cards to affected customers to mitigate losses in the absence of evidence of actual fraud was viewed by the appeals court as evidence that it was reasonable for consumers to replace compromised payment cards even if the card issuer did not immediately do so. In this case, over 1,800 fraudulent charges had been identified by the time the grocery store chain publicly disclosed the breach, and the court found that consumers could reasonably expect that more fraudulent charges would follow.