Until last week, most of us thought that the Hannaford Brothers data breach litigation was just another example of how Plaintiffs are not able to recover in class action lawsuits without proof of actual harm.
The Hannaford Brothers supermarket chain suffered a data breach between December, 2007 and March, 2008 where hackers accessed over 4M credit and debit card numbers. Several class action lawsuits were filed and combined. Consistent with several other prior data breach class action lawsuit decisions, U.S. District Court for the District of Maine Judge Hornby concluded that “[u]nder Maine law . . . if the negligence does not produce [a] completed direct financial loss and instead causes only collateral consequences—for example, the customer’s fear that a fraudulent transaction might happen in the future, the consumer’s expenditure of time and effort to protect the account, loss opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships—then the merchant is not liable.” Judge Hornby ultimately dismissed the claims brought by all customers except those who were not reimbursed for fraudulent charges.
Following his holding, and upon the request of the Plaintiffs, Judge Hornby certified two questions for review by the Maine Supreme Court. Significantly, Jude Hornby asked the Maine Supreme Court whether damages for “time and effort” expended to remediate future foreseeable harm, without proof of actual identity theft, are recoverable. The Maine Supreme court answered the question in the negative and followed the long line of cases that have reached the same conclusion.
Last Spring, in Claridge v. RockYou, Inc., (which we discussed here) we saw a California federal court allow a claim to move forward where a Plaintiff alleged that the value of his personal identifying information diminished because of the data breach. Many argued that the RockYou decision was the first indication that the pendulum was shifting in favor of Plaintiffs. Significantly, however, the RockYou court doubted that Plaintiff would ultimately be able to prove a tangible harm. Last week, however, the First Circuit’s opinion in the Hannaford appeal startled even more people and the chatter about the tide turning in favor of Plaintiffs grew louder. The First Circuit has concluded that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable. The holding squarely fits into the “fear of harm” theories that have been presented and rejected many times in the past. Before the Plaintiffs’ bar gets too excited about this decision, the First Circuit’s opinion should be read carefully because the court distinguishes this case from others where there was no proof of misuse of the information stolen. In the Hannaford breach, the thieves were sophisticated, the information was targeted, and over 1,800 credit card and debit card accounts experienced fraudulent activity related to the breach. Indeed, the First Circuit rejected some of the damages claims, including loss of reward points or fees for pre-authorization changes, because those types of damages are not foreseeable. Although the decision may seem like we are opening the door to additional lawsuits, and perhaps we are, Plaintiffs will still face the same challenges they have in the past because most breaches do not result in the misuse of the information involved.
Organizations should still take data security issues seriously because even if no class action lawsuit follows a breach, the expense and effort required to respond to a data breach can be staggering. Moreover, we are now seeing increased opportunities for a class action lawsuit to reach the discovery phase where organizations will be tested for their vigilance in using best practices to prevent, and respond to, a data breach.