In a recent opinion in the Hannaford Brothers Co. Customer Data Security Breach Litigation (MDL-1954), U.S. District Court Judge D. Brock Hornby asked Maine's highest court to weigh in on the types of damages that may be recovered by consumers affected by a security breach. Judge Hornby earlier had ruled that most class members in the case could not prove recoverable damages, because those individuals received refunds of all fraudulent charges incurred following the breach. In October, however, Judge Hornby granted in part the plaintiffs' motion for reconsideration and certified a question regarding the extent of damages recoverable as compensation for victims' time spent dealing with the aftermath of a security breach.
The Hannaford case is the multi-district consolidation of some 25 class action complaints that were filed following Hannaford's announcement of a breach of the security of certain customer data. The breach compromised the account information of customers from an interstate chain of more than 300 supermarkets, including more than 4.2 million consumer credit and debit account numbers, authorizations and expiration dates.
Early in the case, Hannaford moved to dismiss the consolidated class action complaint. In a 39-page opinion issued on May 12, 2009, Judge Hornby ruled that the only plaintiffs who could proceed were those who were not reimbursed for fraudulent charges following the breach. The other plaintiffs, the court concluded, could not state a claim for damages because they could not show any actual or substantial loss of money or property. As a practical matter, this ruling all but ended the case, because all the claims of all plaintiffs were dismissed except for one, a customer who claimed to suffer from fraudulent charges that her bank would not reimburse.
While delivering a major blow to the plaintiffs, Judge Hornby's opinion left the door open for a potential challenge to certain aspects of his ruling. Specifically, Judge Hornby noted in footnote 151 that his "ruling deals with several questions of Maine law on which the Maine Law Court has not yet had the opportunity to give an opinion," and indicated that he would consider a motion to certify certain issues to that court for an opinion.
Accepting this invitation, the plaintiffs filed a Motion for Reconsideration and Certification requesting certification of four questions to the Maine Supreme Judicial Court: (1) whether Maine law recognizes an implied contractual obligation on the part of Hannaford to strictly (or with more than ordinary care) maintain the confidentiality and security of customer account information; (2) whether Maine law would recognize a claim for breach of a confidential relationship by Hannaford; (3) whether out-of-pocket expenses, charges incurred, premiums lost, and time and effort expended to remediate fraudulent charges were compensable under Maine law; and (4) whether Hannaford may be liable for violations of the Maine Unfair and Deceptive Trade Practices Act, and the extent of damages that may be imposed for such violations.
Judge Hornby rejected the majority of the plaintiffs' certification requests, noting that, if certified, the questions would result in the state's highest court reviewing a federal district court's rulings in an appellate fashion-something wholly outside the intended role of certification. The court ultimately concluded that only one question raised an uncertainty under Maine law that was potentially determinative to the action: whether the time and effort spent mitigating or averting harm is alone sufficient to recover damages. The court noted that Maine courts have not opined on this issue and that state law is uncertain as to whether claimed damages for lost time and effort are recoverable. A Massachusetts appellate court has held that such damages may be recovered under similar circumstances, but other courts have reached opposite conclusions. In light of the absence of specific Maine law and the split of foreign authority on the issue, the court determined that it was appropriate to certify the question "Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?" (This phrasing may be modified; the parties have filed requests that the court modify the wording of the certified question.) Judge Hornby noted that if the Maine court's "answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim."
Limited Scope of Potential Recovery
Although the court granted the plaintiffs' motion in part, Judge Hornby's opinion made clear that the scope of the certified question was narrow, and that the court stood by its earlier holdings regarding the unavailability of many of the damages claimed by plaintiffs. Damages claimed for temporary loss of access to funds or credit and damages for annoyances and embarrassment (caused, for example, by cancelled reservations or being forced to obtain a family loan) were too speculative to be recovered. Similarly, damages for bank fees or loan interest incurred when customers changed bill-paying arrangements, and the loss of reward points, were too remote and unforeseeable to be available as damages. Finally, expenses incurred for remedial activity that was arguably unnecessary-for example, fees incurred in opening a new bank account when the bank said the new account was not necessary, or fees spent on the purchase of identity theft insurance when the stolen data did not include personally identifying information-also were not reasonably foreseeable or recoverable as damages. Maine law regarding the recovery of speculative damages, the court stressed, provided sufficient clarity on these issues.
A Remedy for Breach Victims?
In his May 12 ruling, Judge Hornby correctly noted that "the cases...are almost uniform in not allowing recovery where there is only a risk of injury and no actual misuse of the stolen electronic data." Indeed, many courts that have considered the extent of damages recoverable by victims of a security breach have rejected the claims of plaintiffs who fail to show how they are monetarily affected by a breach. In asking Maine's highest court to address whether time spent dealing with the aftereffects of a security breach constitutes compensable harm under state law, the Hannaford court has provided an opportunity for a focused consideration of an issue that frequently arises in security breach cases. If the Maine Supreme Judicial Court determines that such damages may be compensable, companies may face liability for damage claims that previously were unsuccessful. This is a case to watch, because, especially in the context of class actions, the cumulative exposure for "time and effort" damages could be very substantial.