The First Circuit has held that consumer claims for reimbursement of the cost of identity theft insurance and of fees for replacement of credit and debit cards following a breach of their personal information can be a cognizable injury under certain circumstances, at least under Maine law. In issuing its decision on October 20, 2011 in Anderson v. Hannaford Bros. Co., the U.S. Court of Appeals for the First Circuit overturned, in part, a district court opinion that had dismissed each of the seven claims brought against Hannaford Brothers Co., a grocery chain, by a group of its customers. Plaintiffs asserted claims after learning that hackers had breached Hannaford’s electronic payment processing system, stealing customer credit and debit card numbers.

Previously, the United States District Court of Maine had entered judgment in favor of Hannaford dismissing all claims, finding that plaintiffs failed to state a claim for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach, and also finding that the damages sought by plaintiffs for breach of implied contract, negligence and violation of unfair business practices (pursuant to the Maine Unfair Trade Practices Act) were too speculative and unforeseeable to be cognizable under Maine law. See In re Hannaford Bros. Co. Customer Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009).

On appeal, the First Circuit held that mitigation damages that flow from negligence and breach of implied contract claims can be cognizable under Maine law, if they are “reasonably foreseeable” and “reasonable,” and are for actual financial losses rather than just time or effort expended.

Background Facts

Hannaford – a popular grocery store chain – reportedly had their electronic payment processing system breached by hackers who stole up to 4.2 million credit and debit card numbers, with expiration dates and security codes, but not customer names. When Hannaford made a public announcement about the unfortunate situation, it also announced that it had received approximately 1,800 reports of fraudulent credit and debit card activity. Financial institutions allegedly responded in a variety of ways, including cancelling/reissuing customer cards and monitoring at risk accounts for unusual activity; however, some of these institutions reportedly assessed fees on the consumers for such services. Additionally, some consumers elected to take further precautions by purchasing identity theft insurance and/or credit monitoring services. These fees and services were among the damages claimed by plaintiffs in this lawsuit against Hannaford, which also included allegations of loss of accumulated miles reward points, inability to earn reward points, emotional distress, and the time and effort spent dealing with the situation.

The procedural history of the case prior to this appeal included the certification to the Maine Supreme Judicial Court of the question of whether, in the absence of physical harm, economic loss or identity theft, the time and effort spent in a reasonable effort to avoid or remediate a reasonably foreseeable harm could constitute a cognizable injury for which damages may be recovered under Maine law of negligence and or implied contract. The Maine Supreme Judicial Court answered that question in the negative: time and effort alone were held not to be compensable harm under Maine law.

Appeal

The focus of the First Circuit’s opinion was whether the mitigation damages alleged by plaintiffs for negligence and breach of implied contract could be considered a cognizable injury under Maine law. Indeed, the First Circuit affirmed the lower court’s dismissal of the remaining claims (breach of fiduciary duty and unfair business practices). However, the First Circuit found that the District Court had erred in summarily dismissing the claims for negligence and breach of implied contract. In doing so, the First Circuit held that certain categories of costs incurred by the plaintiffs were “reasonably foreseeable mitigation costs” and thus constitute a cognizable harm under Maine law.

However, the Court also explained that not all mitigation costs in all circumstances would be recoverable. Plaintiffs need to show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury “such as actual money lost, rather than time or effort expended.” The Court noted that whether a mitigation cost is “reasonable” is a “contextual question.” On a motion to dismiss a complaint, the court reviews the context and facts in the light most favorable to the plaintiffs.

Ultimately, the inquiry in this case became whether plaintiffs’ mitigation steps were reasonable, which required fact-specific consideration by the Court. In conducting its analysis, the Court distinguished between breaches involving inadvertently misplaced or lost data that has not been accessed or misused by third parties, from a large scale criminal operation in which credit and debit card information was deliberately taken by sophisticated thieves intending to use the information to their financial advantage. Applying the facts at hand, the Court noted that there had been reported actual misuse of the stolen information, and that misuse was apparently global in reach. Because the theft resulted in thousands of improper charges to the customers “[t]he card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.” The Court also noted that there was no suggestion that there was any way to predict which customers’ accounts were at risk for improper charges. Thus, the Court held that “it reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.” The Court noted that “the test for mitigation is not hindsight.” Rather, it is forseeability and reasonableness.

Accordingly, the Court found it was foreseeable, “on these facts,” that, upon learning that their credit or debit cards may have been compromised, customers would replace their cards to mitigate against unauthorized charges or other misuse. Similarly, it held that it was foreseeable that customers who actually experienced unauthorized charges would reasonably purchase insurance to protect against the consequences of further misuse.

However, the Court was also careful to note that “the principle of reasonableness” imposes a boundary on recovery of costs by claimants. It noted, by way of example, that where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable. The Court also affirmed the district court’s determination that there can be situations in which there is no foreseeable loss as a matter of law. Thus, the Court upheld the district court’s finding that damages such as loss of award points and change fees for pre-authorized credit transactions are not foreseeable and thus not compensable.

The First Circuit decision allows claimants to avoid-- or at least postpone –the early dismissal of their complaints. However, the First Circuit still requires actual financial damages that are both foreseeable and reasonable in the particular context in issue, and recognized that, at least under Maine law, time and effort spent to remediate do not alone, without financial loss, constitute a cognizable injury.