Hannaford hit by class-action lawsuits in wake of data-breach disclosure
Attorneys rush to federal court in Maine to sue grocer over theft of credit card info
Computerworld - In a likely precursor of what's to come, a Philadelphia law firm and an attorney in Maine have filed class-action lawsuits against Hannaford Bros. Co., the Scarborough, Maine-based supermarket chain that this week disclosed a data security breach involving the potential compromise of 4.2 million credit and debit cards.
Philadelphia-based Berger & Montague PC filed its lawsuit yesterday in U.S. District Court in Maine. A similar suit was filed Tuesday by Bangor, Maine-based attorney Samuel Lanham Jr. on behalf of Hannaford customers in all of the states where the grocer does business.
Michael Fantini, an attorney at Berger & Montague, said today that inadequate data security at Hannaford had resulted in the compromise of the personal financial data of consumers, thereby exposing them to the risk of fraud. The class-action suit charges the company with negligence and breach of implied contract and seeks to recover any damages that might be caused to consumers as a result of the breach.
Hannaford failed to live up to the implicit understanding that a business will safeguard the financial information of its customers, Fantini claimed. The grocer also appears not to have disclosed the breach to the public quickly enough after discovering it, he said.
Lanham pointed to the 1,800 cases of alleged credit card fraud that have been reported thus far by Hannaford, and he said that many other shoppers are only now beginning to discover that they could be victims as well.
A Hannaford spokeswoman didn't respond immediately to a request for comment about the lawsuits.
On Monday, Hannaford said in a notice to customers posted on its Web site that unknown intruders had accessed its systems and stolen about 4.2 million credit and debit card numbers between Dec. 7 and March 10. The breach affected all of Hannaford's 165 supermarkets in New England and New York, as well as 106 stores operated under the Sweetbay name in Florida and 23 independently owned markets that sell Hannaford products.
In a Customer Questions document, Hannaford said that it was first made aware of suspicious credit card activity on Feb. 27. The company added that it "immediately initiated a comprehensive investigation" with help from outside IT security experts.
The Hannaford breach is relatively small compared with some other corporate security snafus, such as the mammoth data compromise disclosed early last year by The TJX Companies Inc. Even so, the breach at Hannaford is likely to result in renewed calls for stricter regulations to be imposed on companies that fail to protect consumer data.
Framingham, Mass.-based TJX was hit by several lawsuits after disclosing its breach, including one filed by Berger & Montague, the same law firm that now is suing Hannaford. TJX has settled many of those suits, contributing to a total of about $250 million that the retailer has spent or set aside thus far to cover its breach-related costs. That includes the cost of fixing the security flaws that led to the breach, as well as expenses stemming from various claims, lawsuits and fines that followed the disclosure of the data compromise.
For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver's license numbers were exposed in the breach, plus cash reimbursements, shopping vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.
In addition to facing the likelihood of consumer lawsuits, retailers who suffer breaches also have to deal with banks and credit unions, which are getting increasingly antsy about having to shell out tens of thousands of dollars to pay for the cost of of notifying their customers and reissuing credit and debit cards. Yesterday, for example, the Maine Credit Union League warned that it expects the Hannaford breach to have a significantly bigger effect on credit unions in that state than the TJX breach did.
Several credit union associations around the U.S. have been pressuring state legislators to pass laws that would require retailers hit by data breaches to bear the costs associated with them. Such efforts have met with limited success, though. Minnesota last year enacted a law called the Plastic Card Security Act that essentially requires retailers to reimburse banks and credit unions for breach-related costs. But similar efforts in states such as Massachusetts, Texas and California have failed to produce any laws thus far.
In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also have said that the only reason they store payment card data is because they're required to by the major credit card companies. Last October 2007, the National Retail Federation asked the card companies to drop that requirement.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts