In a rare instance of a court siding with consumers in a data breach lawsuit, a federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit card numbers.
The U.S. Court of Appeals for the First Circuit last week ruled that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford.
The decision overturns an earlier decision by a district court in Maine which had held that consumers could not seek compensation from Hannaford because their alleged injuries stemming from the breach were too speculative and unforeseeable.
The ruling is noteworthy because "up until this point, many if not most courts have dismissed these consumer class actions on the basis that consumers did not have standing or the damages were too speculative," said Scott Vernick, an attorney in the Philadelphia office of Fox Rothschild.
But it could be a mistake to read too much into the decision, because it pertains to a somewhat specific set of circumstances, he added.
A Hannaford spokesman said the company does not want to comment on the ruling because there are still some issues under litigation.
The lawsuit, John Anderson et al. v. Hannaford Bros. Co., stems from a data breach at Hannaford that exposed 4.2 million credit and debit cards. The theft began in December 2007 but was not detected and disclosed by the company until March 2008. At the time of the disclosure, Scarborough, Maine-based Hannaford said it had detected about 1,800 of the compromised cards being used in a fraudulent manner. The company's disclosure prompted several banks to cancel and reissue credit and debit cards as a precautionary measure against fraudulent use.
Hannaford's disclosure of the breach also prompted several consumer class-action lawsuits. In all, 26 of those lawsuits were consolidated into one lawsuit in the U.S. District Court for the District of Maine. The lawsuit charged Hannaford with breach of implied contract, negligence, violation of Maine's unfair trade practices statute and four other causes of action.
The district court, like several other courts in similar cases, dismissed all but one of the claims. The only complaint that was allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
Consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law; neither could those who might have had fraudulent charges on their accounts that were later reversed, the district court judge had ruled.
In its ruling last week, the appellate court agreed with the district court's decision on almost all counts. However, it held that consumers who paid for credit monitoring services or to get their banks to reissue cards as a proactive security measure had a basis for making a claim against Hannaford.
"When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only," the court wrote in its opinion.
"Ordinarily, a customer does not expect -- and certainly does not intend -- the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract."
While the ruling is important, it only addresses the actual out-of-pocket costs that some consumers experienced as a result of the breach, Vernick said.
Many similar consumer class-action lawsuits have sought compensation for the alleged time and effort people needed to spend to get their cards reissued, change bank accounts, or sign up for credit monitoring services.
The appellate court's decision does not allow consumers to pursue damages that are largely speculative, Vernick said. "If you are the victim of a data breach, and there is a general threat of financial fraud or ID theft, you will still have a hard time recovering" damages from the breached entity, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.