Anderson v. Hannaford: Plaintiff Customers May Recover Mitigation Costs Of Data Breach

by Proskauer - Privacy & Data Security
Contact

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.'s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs' claims for negligence and implied contract should survive Hannaford's motion to dismiss because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers' data, plaintiffs' lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

Factual and Procedural Background

Anderson v. Hannaford Brothers, Co., which consolidated 26 separate law suits against the supermarket chain, stems from a 2007 breach where hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes (notably, they did not steal customers' names). Hannaford announced the breach in March 2008, noting that it had already received reports of approximately 1,800 cases of fraud resulting from the breach. Following Hannaford's announcement, some financial institutions canceled customers' credit and debit cards, and issued new cards, while others did not, indicating that they would monitor customer accounts for unusual activity. Some customers who requested that their cards be canceled were required to pay fees for replacement cards, and others purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.

The plaintiffs alleged seven causes of action, including breach of implied contract; breach of implied warranty; breach of duty of a confidential relationship; failure to advise customers of the theft of their data; strict liability; negligence; and violation of Maine's Unfair Trade Practices Act (UTPA). The District Court granted Hannaford's motion to dismiss as to 20 of the 21 plaintiffs. (One plaintiff was allowed to proceed because she was the only plaintiff to allege unreimbursed fraudulent charges to her account.) The District Court held that the other plaintiffs failed to state claims under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability and failure to notify customers of the data breach. And although plaintiffs did adequately allege breach of implied contract, negligence and violation of UTPA, the plaintiffs' alleged injuries were "too remote, not reasonably foreseeable and/or speculative" to be recognized under Maine law. In addition, the district court determined that "there was no way to value or compensate the time and effort that customers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen."

Following the District Court's decision, the plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The District Court certified two questions, and only one was answered by the Maine Supreme Judicial Court (the second was deemed moot based on the answer to the first question). The certified question read: "[i]n the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?"

The Maine Supreme Judicial Court answered the question in the negative, agreeing with the District Court that time and effort alone do not constitute a cognizable claim under Maine law. After ordering the parties to show cause why judgment should not be entered in favor of Hannaford on all claims, the District Court ordered judgment in favor of Hannaford.

The First Circuit Decision

Plaintiffs appealed the District Court's decision regarding the fiduciary duty, breach of implied contract, negligence and Maine UTPA claims. The First Circuit held that plaintiffs adequately alleged theories of negligence and breach of implied contract, and that those claims should survive Hannaford's motion to dismiss.

Negligence: The First Circuit adopted the Restatement (Second) of Torts sec. 919, which provides that "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." The Court also noted that, as a matter of policy, Maine law encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant's negligence. To recover mitigation damages, plaintiffs must show that efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.

After reviewing decisions of other jurisdictions that have adopted the Restatement (Second) of Torts sec. 919, the Court considered whether the plaintiffs' mitigation steps were reasonable, and stated that "[i]t was foreseeable, on these facts that a customer, knowing that her credit or debit card had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data." The court thus held that "[p]laintiffs' claims for identity theft and replacement card fees involve actual financial losses from credit and debit card misuse. Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable."

Implied Contract: The First Circuit held that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford (1) would not use the credit card for other people's purchases; (2) would not sell the data to others; and (3) would take reasonable measures to protect the information.

The First Circuit held that other arguments asserted by plaintiffs must fail.

Fiduciary/Confidential Relationship: Plaintiffs argued that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information. The First Circuit agreed with the District Court that the plaintiffs' argument must fail, and that Hannaford does not owe a fiduciary duty to its customers. The First Circuit reasoned that (1) the plaintiffs have not shown the trust and confidence contemplated by Maine confidential relationship cases; (2) the plaintiffs have not plead facts demonstrating disparate bargaining power between the plaintiffs and Hannaford; and (3) the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust.

Maine UTPA: After a lengthy discussion of the availability of a private right of action under UTPA, the First Circuit rejected plaintiff's UTPA claim, stating that "[i]t seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the right of private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence or other theories."

Implications

While it will likely be quite some time before we know how this case will ultimately be resolved, Anderson v. Hannaford should put companies on notice that out-of-pocket costs incurred to mitigate losses resulting from a data breach may result in viable damages claims.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:

Proskauer - Privacy & Data Security
Contact
more
less

Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.