In yet another privacy class action addressing the question of whether data breach claimants have suffered legally cognizable damages, the First Circuit’s ruling in Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011), reversed the trial court’s dismissal of negligence and implied contract claims arising from a 2007 breach of Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit card and debit card numbers. The appeal concerned claims brought by plaintiffs who had not suffered fraud losses, but had incurred costs and expended effort to mitigate potential losses. In the trial court, Judge Brock Hornby of the District of Maine had ruled that such plaintiffs had stated viable claims for negligence and breach of an implied contractual duty to maintain the security of the stolen data. Judge Hornby found, however, that damages were not recoverable under Maine law for the cost and effort related to mitigation because such losses were too remote and not reasonably foreseeable as consequences of Hannaford’s alleged negligence and breach of contract. As a result, such claims were dismissed.
On appeal, plaintiffs argued that out-of-pocket mitigation costs (such as credit insurance and fees associated with new credit cards) were reasonably foreseeable expenses and, therefore, were legally cognizable damages. The First Circuit agreed that such damages were recoverable under Maine law. Maine permits recovery in negligence and contract for out-of-pocket mitigation costs where it is reasonable to incur such costs. In this particular case, the data theft was the result of a sophisticated criminal enterprise that had targeted the Hannaford system with the express purpose of obtaining credit card and debit card numbers in order to incur fraudulent charges. Therefore, the First Circuit deemed it reasonable for plaintiffs to expend money to purchase credit insurance or new credit cards. In so ruling the court distinguished other cases that had found such expenditures to be unreasonable in circumstances involving theft of laptops or other types of computer equipment, in which the loss of data was not associated with a deliberate attempt to perpetrate credit card fraud. In Hannaford, the First Circuit concluded that the explicit targeting of the payment system for purposes of using the credit and debit card numbers made it reasonable for plaintiffs to take steps to protect against such misuse. Although other cases had held that targeted theft of credit card data did not permit mitigation costs to be treated as cognizable damages, the First Circuit distinguished those cases on the ground that none involved allegations that any plaintiffs had suffered identity theft or actual misuse of credit card numbers, whereas plaintiffs allege that such misuse did occur in Hannaford and that the they were aware that it had occurred. Accordingly, the First Circuit reinstated the negligence and breach of implied contract claims asserted by the plaintiffs who had incurred out-of-pocket mitigation expenses.
As the opinion itself suggests, the First Circuit’s decision in Hannaford is contrary to other cases refusing to permit data breach claimants to seek mitigation damages. It is likely that data breach plaintiffs will seize on Hannaford’s distinction between targeted card number theft and other types of inadvertent data breaches as a means to advance class action data breach claims in cases involving targeted theft. The Hannaford decision also suggests that credit and debit card payment processors are at higher risk for facing viable class claims in the wake of a data breach, thus reinforcing the need for such entities to be especially vigilant about data security.