In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in  Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise.   In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers.   The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.

The First Circuit’s decision arose out of an appeal that reviewed claims by plaintiffs who had not suffered fraud losses, but incurred costs and expended efforts in an attempt to mitigate potential losses.  The trial court had found that while those plaintiffs had stated viable claims for negligence and breach of an implied contractual duty to maintain the security of the data that had been stolen, damages were not recoverable under Maine law, because the losses were too remote and not reasonably foreseeable as consequences of Hannaford’s alleged negligence and breach of contract.

The First Circuit reversed the dismissal of the negligence and breach of contract claims.  Plaintiffs argued that out-of-pocket mitigation costs they incurred were reasonably foreseeable expenses, and thus, legally cognizable damages.  The First Circuit agreed such costs were recoverable under Maine law, which permits recovery in negligence and contract actions for out-of-pocket mitigation costs where it is reasonable to incur such costs.  In this particular case, the data theft was the result of a sophisticated criminal enterprise that targeted the Hannaford system with the express intent to obtain card numbers in order to make fraudulent charges.  Members of the criminal enterprise ran up thousands of improper charges to customers’ accounts.   Therefore, it was foreseeable that customers, knowing their credit or debit card data had been compromised, and that fraudulent charges had resulted from the security breach, would take steps to protect against misuse of the card data.

This distinguished the case, the First Circuit held, from prior disputes that had held targeted thefts of credit card data did not permit mitigation costs to be treated as cognizable damages.  Whereas none of those cases involved allegations that any plaintiff had suffered identity theft or actual misuse of credit card numbers, the Hannaford plaintiffs alleged such misuse did occur, and that the they were aware it had occurred.   This may ultimately set up a dichotomy vis-à-vis whether liability lies and/or damages are available between cases involving targeted credit card theft resulting in fraudulent charges that account-holders learn about and react to, versus inadvertent or other types of more generic data breaches.  But in any case, Hannaford serves as a valuable reminder that all companies who have access to sensitive consumer information should be diligent in their data security efforts.