Plaintiffs in data privacy cases have pursued a variety of theories from negligence to breach of contract, and even Constitutional claims, only to come up empty-handed because they suffered no actual injury. The United States Court of Appeals for the First Circuit recently went against the trend by reversing a district court’s dismissal of negligence and breach of im-plied contract claims arising from a 2007 breach of Hannaford Brothers Company’s electronic payment processing system. Anderson v. Hannaford Brothers Co., Nos. 10-2384, 10-2450, 2011 WL 5007175 (1st Cir. 2011).
While it remains to be seen whether Anderson ushers in a new era of privacy litigation, it provides a useful framework for certain privacy-based claims. The First Circuit based its ruling on a critical fact not alleged in the majority of data breach cases to date—the sophisticated hackers who breached Hannaford’s system actually used the data they obtained to carry out thousands of fraudulent transactions. This rendered the threat to Hannaford’s customers more legitimate, the customers’ mitigation efforts more reasonable, and the damages based on those efforts less speculative.
This update summarizes the Anderson opinion and considers its potential impact.
Background of the Lawsuit
On December 7, 2007, Hannaford, a Maine-based national supermarket chain, fell victim to a targeted breach of its electronic payment processing system, resulting in the theft of 4.2 million credit card and debit card numbers, expiration dates, and security codes.
Hannaford customers filed suit, seeking damages and injunctive relief for alleged breach of fiduciary duty, breach of implied warranty, strict liability, failure to notify customers of the data breach, negligence, breach of implied contract, and violation of the Maine Unfair Trade Practices Act (UTPA). The plaintiffs alleged that they and other Hannaford custom-ers had experienced more than 1,800 unautho-rized charges to their accounts, and suffered other losses, such as replacement card fees, overdraft fees based on fraudulent charges, fees for altering pre-authorized payment arrange-ments, loss of accumulated reward points, the inability to earn reward points during the transition to new accounts, emotional distress, time and effort spent reversing unauthorized charges, and the cost of purchasing identity theft/card protection insurance and credit monitoring services.
The district court dismissed plaintiffs’ claims for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify. With respect to the claims for negligence, breach of implied contract, and violation of the UTPA, the court held that the plaintiffs’ allegations were adequate to state a claim for relief, but that the “consequential losses” alleged were “too remote, not reasonably foreseeable, and/or speculative” to be cognizable under Maine law.
Plaintiffs appealed the dismissal of their breach of fiduciary duty, UTPA, implied contract, and negligence claims. The First Circuit affirmed the dismissal of the fiduciary duty and UTPA claims, but reversed and allowed plaintiffs’ negligence and breach of implied contract claims to proceed. The breach of fiduciary duty claim was defective, the court held in part, because there was no confidential relationship between Hannaford and its customers. Rather, they were parties to an arms-length transaction. The court rejected the UTPA claim on public policy grounds and because it would be duplicative of the recovery available under negligence and breach of contract.
Mitigation Damages as Cognizable Injury
The Anderson ruling is significant in that it departed from the trend in privacy cases by finding plaintiffs adequately alleged injuries based on their efforts to mitigate the damages caused by Hannaford’s data breach.
The court distinguished the allegations here from other data breach cases on two critical grounds. First, unlike the majority of prior data privacy suits, the breach here involved a sophisticated attack by hackers that directly targeted Hannaford’s data with the intent to use the customer information to carry out fraud. The court viewed this as distinct from cases where customer data was not the target, such as where thieves steal computer equipment that happens to contain sensitive customer information.
Second, the hackers who broke into Hannaford’s system actually used the data they obtained to commit fraud. In fact, using Hannaford customer data, including that of several of the plaintiffs, the perpetrators rang up thousands of charges to Hannaford customers’ credit and debit card accounts. By contrast, the court noted, in other cases where thieves accessed customer data, the plaintiffs failed to allege that they or any similarly situated class member had actually been the victim of fraud or identity theft as a result of the breach. Absent allegations of unauthorized charges, the plaintiffs in those cases lacked a reasonable basis for fearing fraud, and their mitigation efforts were therefore less reasonable.
In Anderson, the court concluded that mitigation efforts such as purchasing identity theft insurance and credit reporting were reasonable, and the costs of those efforts foreseeable damages under either the negligence cause of action or the implied contract cause of action.
Practical Application of Anderson v. Hannaford Brothers Co.
The Anderson decision may help some data breach plaintiffs, but not all. In cases where plaintiffs allege, or even prove, nothing beyond exposure of their data, they will still be unlikely to recover.
The first important question will be how and why the data was taken. In cases where the target of the theft is computer equipment, rather than the data itself, and where there may not even be evidence that the thief was aware of the customer data, Anderson is not likely to change the analysis at all. This was the case, for example, in Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009), aff’d 380 Fed. Appx. 689 (9th Cir. 2010), in which thieves stole two laptops from the offices of Vangent, Inc., a vendor that Gap used for processing job applications. The laptops contained unencrypted personal information, including social security numbers, of over 750,000 job applicants.
In cases where hackers specifically target customer data, it will still take more than mere allegations of data exposure for plaintiffs to recover. In Anderson, the court considered both the fact that the hackers targeted Hannaford’s data and the fact that the hackers had actually made use of the data, in concluding that plaintiffs’ mitigation costs were compensable damages. Absent allegations that the data has actually been used, courts have found no cognizable injury. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775 (W.D. Mich. 2006).
The impact of the Anderson decision remains to be seen. However, armed with an appellate court outline of how to frame privacy-based claims, plaintiffs will likely continue to pursue such causes of action after a breach. Companies should continue their vigilant efforts to implement and maintain appropriate data security measures.