A ‘massive’ data breach occurred at Hannaford Bros supermarkets over a 3-month period in 2007-08, resulting in the theft of customer financial information. Class proceedings were initiated, but a Maine judge has recently declined to certify the action, which sought recovery of costs incurred in obtaining new credit and debit cards, identity theft insurance and credit monitoring: In re Hannaford Bros Co Customer Data Security Breach Litigation (D Me, 20 March 2013).
Hornby J of the district court thought that based on the number of Hannaford customers who applied for replacement cards during the relevant period, the proposed class probably met the ‘numerosity’ requirement (even if not all replacement applications were necessarily related to the data breach). This was an appropriate case for class proceedings because the very small amounts being sought by any single customer would not make individual actions worthwhile — although the judge was clearly concerned that the only people who really stood to gain from the litigation were the plaintiffs’ lawyers, any ‘modest measure of corporate deterrence’ notwithstanding. The commonality requirement was also satisfied: even though it wasn’t clear whether Hannaford’s liability might be for negligence or breach of contract, or whether its actions were the cause of loss, it was clear that all class members had the same case to make. Where things broke down for the plaintiffs was when the judge considered the economic effects of the data breach. While all appeared to have suffered some loss as a result of it, not everyone responded in the same way: some had fraudulent charges to their accounts while others did not; only some bought insurance or credit monitoring; not all paid fees for obtaining or expediting delivery of new cards. It could be said that all members of the class had been required to mitigate loss as a result of the data breach, but in the end individual issues of causation and loss would predominate over class issues.