A business could be liable for the “reasonably foreseeable” costs incurred by customers who sought to mitigate the hacking of their credit and debit card numbers, the First Circuit has ruled.

Hackers breached the electronic payment processing system of the Hannaford Brothers grocery store chain in 2007 and obtained the credit and debit card numbers of an estimated 4.2 million customers.

Twenty-six separate class actions against the chain were consolidated, with groups of plaintiffs alleging various types of damages. Some sought reimbursement for the costs associated with credit monitoring, for the amount of replacement card fees or the costs of obtaining a new card, for their inability to earn reward points during the transition, emotional distress and the time and effort spent reversing unauthorized charges and protecting against further fraud.

Hannaford argued that the plaintiffs’ injuries were too speculative, and a U.S. District Court entered judgment for the chain.

But on appeal, the First Circuit reversed.

While some of the plaintiffs’ claims – like those for lost reward points and emotional distress – were not recoverable, the court said the plaintiffs could pursue their negligence and implied breach of contract claims for the costs of mitigating the theft of their information.

Some financial institutions immediately canceled customers’ cards and issued new ones, which was evidence of the reasonableness of issuing replacement cards as a form of mitigation, the court said.

“It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breached, would replace the card to mitigate against misuse of the card data,” the court said. “Similarly, it was foreseeable that a customer who had experienced unauthorized charges to her account . . . would reasonably purchase insurance to protect against the consequence of data misuse.”

To read the decision in Anderson v. Hannaford Bros., click here.

Why it matters: While other courts have denied damages for plaintiffs in data breach cases, the First Circuit emphasized that the case at hand did “not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties.” Because the hackers were sophisticated and more than 1,800 instances of fraud resulting from the theft were reported, the financial losses to consumers to mitigate their own potential damages were reasonable and foreseeable, the court determined, and therefore cognizable under Maine law.