Continuing the recent proliferation of cases brought by consumers claiming various statutory and common law violations by companies involved in collecting and storing confidential personal information, the First Circuit recently has had an opportunity to consider the issue of whether consumers’ alleged damages were too speculative, and not reasonably foreseeable, to establish cognizable injuries. In Anderson v. Hannaford Bros., Co.,1 the court determined that plaintiffs could recover certain mitigation costs, such as the cost of procuring identity theft insurance, under negligence and implied contract claims under Maine law where there was evidence that data was misused to commit identity theft against at least some of the affected parties.
Anderson v. Hannaford Bros., Co.
In December of 2007, Internet hackers breached the electronic payment processing system of the Hannaford Brothers Company, a national grocer. Over a three month period, the hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes of Hannaford customers. By March 2008, Hannaford had received reports of approximately 1,800 cases of fraud resulting from the breach.
Twenty-six plaintiffs filed a consolidated lawsuit in the District of Maine alleging seven causes of action and various injuries, including the cost of replacement credit and debit cards, fees for overdrawn accounts, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points, emotional distress, and time and effort spent monitoring accounts and reversing fraudulent transactions.
In response to a motion to dismiss, the district court dismissed four of the seven claims for failing to allege sufficient facts to state a basis for the claim. The remaining three claims—negligence, breach of an implied contract, and a violation of the Maine Unfair Trade Practices Act (UPTA)—were dismissed because the court determined that the plaintiffs’ injuries were “too unforeseeable and speculative to be cognizable under Maine law.”2
On appeal, the First Circuit affirmed the district court’s dismissal of all plaintiffs’ claims except those for negligence and breach of an implied contract. However, the most significant portion of the First Circuit’s opinion is that part where it reversed the district court’s ruling that all of plaintiffs alleged injuries were too speculative and not reasonably foreseeable, and therefore not cognizable under Maine law.
In analyzing plaintiffs’ injuries, the First Circuit focused its discussion on those damages properly categorized as mitigation costs. The First Circuit began by demonstrating that Maine courts limit recovery in cases of nonphysical harm by considering reasonable foreseeability and such relevant policy considerations as “societal expectations regarding behavior and individual responsibility in allocating risks and costs.”3 The court also noted that in the context of mitigation costs, Maine courts apply this principal to allow plaintiffs to recover costs incurred during a “‘reasonable effort to mitigate,’ regardless of whether the harm is nonphysical.”4 Finally, the court concluded that, under Maine law, plaintiffs need only demonstrate that their efforts to mitigate were reasonable, and that those efforts resulted in an actual legal injury, as opposed to mere time and energy expended.5
Noting that there is not a great deal of Maine law on the issue of the reasonableness of mitigation costs, the First Circuit turned to other courts for guidance. For example, the court cited a case that allowed recovery of mitigation costs when the only injury was financial in nature,6 a case that allowed recovery of costs to mitigate damages caused to property by a defective product even though recovery for the product itself was barred by the economic loss doctrine,7 and a case that found a plaintiff entitled to mitigate even when the need to mitigate was not yet entirely certain.8
Applying these concepts to the present case, the First Circuit determined that the plaintiffs’ costs for purchasing identity theft insurance and replacing credit and debit cards were reasonable efforts to mitigate and resulted in actual financial loss, a recoverable legal injury. Therefore, they were cognizable injuries under Maine law. In arriving at this conclusion, the court stressed that this case involved a global criminal operation by sophisticated thieves who clearly intended, and actually did, misuse customer data. The court also found it significant that some customers’ banks took independent actions to mitigate the risk of harm to their customers, reinforcing the reasonableness of the customers own efforts to mitigate.9
The First Circuit distinguished this case from other cases holding that mitigation costs, such as credit monitoring services, are not cognizable injuries in negligence claims. The court points out that most cases involved the theft, or mere loss, of computer equipment. However, the plaintiffs in those cases failed to allege that any third party had the desire or capability to access the data contained in the equipment, or that any of the victims had suffered actual fraudulent charges.10
The First Circuit also distinguished cases in which thieves gained access to consumer data, but where courts still declined to award mitigation costs because neither the plaintiffs, nor any similarly situated victims, actually incurred fraudulent charges.11 The First Circuit interpreted the logic of these cases to indicate that if a member of the putative class of victims actually experienced an event of identity theft, as was the case for Hannaford’s consumers, the courts would have reached different conclusions.12 Finally, the court concluded that plaintiffs’ mitigation costs were cognizable under the implied contract claim in spite of traditional limitations on contract damages barring recovery for mental or emotional distress because they represented actual financial loss.13
The First Circuit’s decision in Hannaford may open the door to negligence and implied contract claims in the data breach context in cases where the only alleged injury is the cost of mitigation. Though recognizing that mitigation costs may be too speculative an injury to be cognizable under certain circumstances, the decision suggests that when members of the class of plaintiffs have actually experienced fraudulent charges, the efforts to mitigate are reasonable because the threat of harm is real.
It will remain difficult to predict how the law will develop, as the First Circuit’s decision is specific to the circumstances presented by these particular plaintiffs. However, companies should consider amending their contracts to limit liability under negligence and implied contract claims. Additionally, companies should ensure that their systems comply with the various data protection requirements set out in state and federal regulations. This will reduce the likelihood of being found to have breached an applicable standard of care in the event of a security breach.