Data breach decision may go to Maine's high court
Judge seeks opinion on whether consumers can seek restitution for inconvenience of changing credit cards after a data breach
Computerworld - A federal judge in Maine is asking the state's Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach.
The case involves Hannaford Bros. which last year disclosed that unknown intruders had broken into its network and stolen data on more than 4.2 million credit and debit cards from its stores in New England, New York and Florida. The disclosure resulted in several lawsuits against the Maine-based retailer by consumers and banks seeking to recoup the costs associated with blocking and issuing new cards.
This May, U.S. District Court Judge Brock Hornby threw out almost all of the civil claims against the grocer that had been filed by consumers. The lawsuits had alleged that Hannaford had failed to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages.
The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
At the time, Hornby wrote that consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law. Neither could those who might have had fraudulent charges on their accounts that were later reversed.
This week, however, Hornby reversed that decision. He asked the Law Court, the highest court in Maine, to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.
The question stemmed from a motion filed by the plaintiffs in the case asking Hornby to reconsider his earlier ruling. In all, the plaintiffs had asked the judge to clarify four questions with the state Supreme Court. Horny dismissed three of those requests but agreed to clarify one question.
"Whether time and effort spent mitigating or averting harm from actionable conduct...is alone sufficient to recover damages is uncertain under Maine law," wrote in a 16-page ruling. As a result, the Maine Supreme Court should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law, he wrote.
The Maine Supreme Court's ruling on the matter could have a significant impact on how other courts view the same issue going forward. Most courts have tended to dismiss a vast majority of the consumer class-action lawsuits brought in the wake of a data breach involving the compromise of credit and debit card data.
In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts