ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Damages From Data Breach Dominate 1st Circuit Debate
The National Law Journal
A debate about the damages available to some to 4.2 million customers of the Hannaford Brothers Co. supermarket company whose financial information was compromised during a data breach dominated an oral argument at the 1st U.S. Circuit Court of Appeals.
The Sept. 8 hearing in Anderson v. Hannaford Brothers Co. concerned the appeal of a May 2009 order by District of Maine Judge D. Brock Hornby that rejected most of the plaintiffs' claims.
Hornby's order in the multidistrict litigation In Re Hannaford Bros. Co Customer Data Security Breach Litigation, ruled that, under Maine law, "consumers whose payment data are stolen can recover against the merchant only if the merchant's negligence caused a direct loss to the consumer's account."
In November 2009, after the plaintiffs moved for reconsideration, Hornby certified two questions to the Supreme Judicial Court of Maine. That court, in a September 2010 decision, held that "Maine law of negligence and implied contract does not recognize time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, as a cognizable injury in the absence of physical harm or economic loss or identity theft." Therefore, Hornby's decision remained unchanged.
The breach involved the theft of up to 4.2 million debit card and credit card numbers, expiration dates, and security codes in Hannaford's electronic payment processing network between Dec. 7, 2007, and March 10, 2008.
The plaintiffs' 1st Circuit brief asked the court to find that its consolidated class action against Hannaford for breach of a fiduciary or confidential relationship over its failure to maintain the security of plaintiffs' confidential information is a valid cause of action.
They also asked the 1st Circuit to find that the district court erroneously dismissed the plaintiffs' claims for several types of actual losses of money and property, including card replacement fees, preauthorized credit change fees, account overdraft fees, loss of reward points earned, and identity theft insurance charges. The plaintiffs claim these losses stem from Hannaford's negligence and breach of implied contract.
Finally, the plaintiffs asked the court to determine that their "loss of money or property" claims are valid under the Maine Unfair Trade Practices Act.
Chief Judge Sandra Lynch sat on the panel with judges O. Rogeriee Thompson and Juan Torruella.
During oral argument Lynch told the plaintiffs lawyer, Peter Murray of Portland, Maine's Murray, Plumb & Murray, that she divided the various categories of harm alleged by plaintiffs into two parts, "only one of which has to do with mitigation."
Lynch said she views the cost of identity theft insurance cost as one type of mitigation. She considers the replacement card fee some banks charge consumers who had no fraudulent charges but wanted a new card as another type.
"The others are what you call the hard out-of-pocket costs, but they're not directly related to mitigation," Lynch said.
After further questioning, Murray said only one current plaintiff had to pay a fee to get a new card.
Lynch then said, "Maine law plainly encourages mitigation efforts," and asked Murray to address Hornby's conclusion that "nobody needed to buy insurance."
"Whether that was reasonable at the time under the circumstances, again, is a matter of evidence," Murray replied.
"Here is a person who had been hit several times by fraudulent charges, which had been extremely disruptive," Murray said. "The credit card company suggested that she get insurance. ... To just say that this person acted foolishly in buying the credit insurance is a little premature."
When Hannaford's lawyer, Clifford Ruprecht, a partner at Portland's Pierce Atwood argued, Lynch asked him about the plaintiffs' claim that they should be able to recover overdraft charges stemming from fraudulent charges under Maine law.
"It appears to be the case that it is commonly known to merchants like Hannaford that if the debit card gets overdrawn ... even for fraudulent charges, the customer will nonetheless ending up having to pay overdraft," Lynch said.
Ruprecht replied that he didn't think that was correct because, under the rules, the issuing bank "has to extend what's called zero liability protection to those people, has to hold them essentially harmless against these charges, against these fraudulent charges."
Ruprecht went on to say that it's not pleaded in the complaint that one of the plaintiffs had to pay one of these charges.
He said plaintiff Pamela LaMotte pleaded that she was being charged for going over the limit on a credit card and required to pay for it pending resolution of her claim that those charges were fraudulent. But, he said, when LaMotte came before the court and said 'I've been taken care of,' she didn't claim she was still responsible for those fraudulent charges.
During his rebuttal time, Murray disputed Ruprecht's characterization and said it's perfectly clear that LaMotte and other plaintiffs actually paid overdraft charges.
Lynch then asked Ruprecht to address her two categories of mitigation costs. "As is clear to you, I view that as a somewhat stronger case for the plaintiffs," Lynch said.
Ruprecht replied that "mitigation, was, it is fair to say, is the core question that was presented to the law court on the certified question in this case."
Hornby had asked the Maine Supreme Judicial Court whether the plaintiffs could make claims for time and effort spent "mitigating or remediating the consequences of the defendant's negligence." According to the plaintiffs' 1st Circuit brief, the Maine high court answered that Maine law does not authorize recovery for time and effort for mitigating or remediating money or property losses that stem from negligence or breach of contract.
Ruprecht said the plaintiffs argued that time and effort spent is recoverable because that's an effort at mitigation, but the Maine high court said, "No that's not recoverable."
He argued that the plaintiff who bought the identity theft insurance, bought it "without being at risk of any identity theft."
"How do we know she's not at risk?" Lynch asked.
That person is "not at risk any more than any of the people in the countless cases that we've cited in our briefs where exactly this situation has been presented where in fact people can say 'my information was stolen,' " Ruprecht replied. "We have plenty of Maine cases that say risk of future harm is not compensable."
Lynch then asked about plaintiffs whose banks charged them to issue a new credit card when there wasn't any evidence that their account had been fraudulently accessed.
"The bank was saying 'Let's wait and see, it's not clear that you're at any risk,' " Ruprecht said.
"They're really not any different from any of the other plaintiffs who are no longer even before the court," Ruprecht said "These are people who had had no fraudulent charges on their account. They simply are at some risk and they are paying money to try to avoid some risk from materializing."
This article originally appeared in The National Law Journal.