Image: Clipart.com
Customers victimized by a data breach at Hannaford Brothers Co., a supermarket company, can bring some negligence and implied contract claims against the company, the 1st U.S. Circuit Court of Appeals has ruled.
On Oct. 20, a unanimous panel partially reversed a May 2009 dismissal by D. Brock Hornby of the District of Maine of the plaintiff's negligence and implied contract claims "because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law."
The 1st Circuit in In Re Hannaford Bros. Co Customer Data Security Breach Litigation found that plaintiffs could use those claims to recover identity theft insurance and replacement card fees involving actual financial losses. But they could not recover for the loss of reward points and reward point earning opportunities and fees for changing automated, pre-authorized payments from the accounts.
The 1st Circuit also affirmed Hornby's dismissal of all the plaintiffs' breach of fiduciary duty and Maine Unfair Trade Practices Act claims in the multidistrict litigation.
The breach involved the theft of up to 4.2 million debit card and credit card numbers, expiration dates, and security codes between Dec. 7, 2007, and March 10, 2008, from Hannaford's electronic payment processing network.
Chief Judge Sandra Lynch wrote the opinion, joined by judges O. Rogeriee Thompson and Juan Torruella.
The 1st Circuit agreed with the district court that Hannaford did not owe plaintiffs a fiduciary duty. First, they did not have a "confidential relationship" with Hannaford under Maine law, such as a business agency, professional relationship, or family tie, which gives rise to such a duty. Second, there's no evidence of disparate bargaining power between the plaintiffs and Hannaford. Third, the plaintiffs' facts don't show that Hannaford abused a position of trust.
The 1st Circuit agreed with the district court's dismissal of the Maine Unfair Trade Practices Act, but not its reasoning. Hornby found that the plaintiffs did not allege substantial loss. But Lynch observed that there's no literal substantial loss requirement in a 1991 amendment to the law that allows private causes of action.
"What is clear is that the Maine courts have consistently read the private right of action provision of the [unfair trade law] narrowly," Lynch wrote. "It seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the private action provision of the [unfair trade law] to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence, or other theories."
The plaintiffs' implied contract claim survives because customers using credit cards in commercial transactions intend to restrict their personal data to the merchant making the sale, Lynch wrote.
"Ordinarily, a customer does not expect -- and certainly does not intend -- the merchant to allow unauthorized third-parties to access that data," Lynch wrote.
In the opinion's discussion of the mitigation damages issue, Lynch observed that "there is not a great deal of Maine law on the subject," so the question to consider is whether plaintiffs' mitigation efforts were reasonable.
Lynch wrote that, unlike the cases cited by Hannaford, this case does not involve inadvertently misplaced or lost data that third parties have not accessed or misused. "Here, there was actual misuse, and it was apparently global in reach."
Lynch also concluded that there was no way to predict which accounts would be misused. "By the time Hannaford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges."
"We're still in the game," said the plaintiffs lawyer, Peter Murray of Portland, Maine's Murray, Plumb & Murray. "We don't know how many of the 4.2 million customers whose numbers were stolen had such costs [as the 1st Circuit said are recoverable], but among 4.2 million there must be quite a few."
Hannaford's lawyer, Clifford Ruprecht, a partner at Portland, Maine's Pierce Atwood, did not respond to a request for comment.
In an emailed statement, Hannaford spokesman Eric Blom wrote, "Elements of this litigation remain outstanding, and we do not comment on pending legal matters."
Subscribe to The National Law Journal
