Hannaford hit by class-action lawsuits in wake of data-breach disclosure

Computerworld - In a likely precursor of what's to come, a Philadelphia law firm and an attorney in Maine have filed class-action lawsuits against Hannaford Bros. Co., the Scarborough, Maine-based supermarket chain that this week disclosed a data security breach involving the potential compromise of 4.2 million credit and debit cards.

Philadelphia-based Berger & Montague PC filed its lawsuit yesterday in U.S. District Court in Maine. A similar suit was filed Tuesday by Bangor, Maine-based attorney Samuel Lanham Jr. on behalf of Hannaford customers in all of the states where the grocer does business.

Michael Fantini, an attorney at Berger & Montague, said today that inadequate data security at Hannaford had resulted in the compromise of the personal financial data of consumers, thereby exposing them to the risk of fraud. The class-action suit charges the company with negligence and breach of implied contract and seeks to recover any damages that might be caused to consumers as a result of the breach.

Hannaford failed to live up to the implicit understanding that a business will safeguard the financial information of its customers, Fantini claimed. The grocer also appears not to have disclosed the breach to the public quickly enough after discovering it, he said.

Lanham pointed to the 1,800 cases of alleged credit card fraud that have been reported thus far by Hannaford, and he said that many other shoppers are only now beginning to discover that they could be victims as well.

A Hannaford spokeswoman didn't respond immediately to a request for comment about the lawsuits.

On Monday, Hannaford said in a notice to customers posted on its Web site that unknown intruders had accessed its systems and stolen about 4.2 million credit and debit card numbers between Dec. 7 and March 10. The breach affected all of Hannaford's 165 supermarkets in New England and New York, as well as 106 stores operated under the Sweetbay name in Florida and 23 independently owned markets that sell Hannaford products.

In a Customer Questions document, Hannaford said that it was first made aware of suspicious credit card activity on Feb. 27. The company added that it "immediately initiated a comprehensive investigation" with help from outside IT security experts.

The Hannaford breach is relatively small compared with some other corporate security snafus, such as the mammoth data compromise disclosed early last year by The TJX Companies Inc. Even so, the breach at Hannaford is likely to result in renewed calls for stricter regulations to be imposed on companies that fail to protect consumer data.

Framingham, Mass.-based TJX was hit by several lawsuits after disclosing its breach, including one filed by Berger & Montague, the same law firm that now is suing Hannaford. TJX has settled many of those suits, contributing to a total of about $250 million that the retailer has spent or set aside thus far to cover its breach-related costs. That includes the cost of fixing the security flaws that led to the breach, as well as expenses stemming from various claims, lawsuits and fines that followed the disclosure of the data compromise.

For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver's license numbers were exposed in the breach, plus cash reimbursements, shopping vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.

In addition to facing the likelihood of consumer lawsuits, retailers who suffer breaches also have to deal with banks and credit unions, which are getting increasingly antsy about having to shell out tens of thousands of dollars to pay for the cost of of notifying their customers and reissuing credit and debit cards. Yesterday, for example, the Maine Credit Union League warned that it expects the Hannaford breach to have a significantly bigger effect on credit unions in that state than the TJX breach did.

Several credit union associations around the U.S. have been pressuring state legislators to pass laws that would require retailers hit by data breaches to bear the costs associated with them. Such efforts have met with limited success, though. Minnesota last year enacted a law called the Plastic Card Security Act that essentially requires retailers to reimburse banks and credit unions for breach-related costs. But similar efforts in states such as Massachusetts, Texas and California have failed to produce any laws thus far.

In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also have said that the only reason they store payment card data is because they're required to by the major credit card companies. Last October 2007, the National Retail Federation asked the card companies to drop that requirement.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.