Court Holds that Hannaford Data Breach Suit Cannot Proceed as Class Action


On March 20, 2013, the United States District Court for the District of Maine denied a motion brought by plaintiffs in In re Hannaford Brothers Company Data Security Breach Litigation that would have allowed the suit to proceed as a class action. The decision, which concluded that plaintiffs had failed to meet the predominance requirement of Federal Rule of Civil Procedure 23(b)(3), demonstrates the difficulty of certifying a class in the data breach context, where claims often turn on individual issues of causation and damages. Perhaps most significantly, the decision signals that in order for data breach plaintiffs to meet their burden as to predominance, they must first obtain a supporting opinion from an expert.

The Hannaford case began in 2008, when a putative class of Hannaford customers filed suit against the company following Hannaford’s announcement that cyber criminals had stolen customer debit and credit card information from its network systems. Following rulings by the District Court, the United States Court of Appeals for the First Circuit, and the Supreme Court of Maine, the claims against Hannaford were pared down to negligence and breach of implied contract, and the proposed class was limited to customers who, as a result of the data breach, made out-of-pocket payments to cancel their cards or obtain identity theft protection products.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.