Data breach decision may go to Maine's high court

Computerworld - A federal judge in Maine is asking the state's Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach.

The case involves Hannaford Bros. which last year disclosed that unknown intruders had broken into its network and stolen data on more than 4.2 million credit and debit cards from its stores in New England, New York and Florida. The disclosure resulted in several lawsuits against the Maine-based retailer by consumers and banks seeking to recoup the costs associated with blocking and issuing new cards.

This May, U.S. District Court Judge Brock Hornby threw out almost all of the civil claims against the grocer that had been filed by consumers. The lawsuits had alleged that Hannaford had failed to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages.

The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.

At the time, Hornby wrote that consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law. Neither could those who might have had fraudulent charges on their accounts that were later reversed.

This week, however, Hornby reversed that decision. He asked the Law Court, the highest court in Maine, to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.

The question stemmed from a motion filed by the plaintiffs in the case asking Hornby to reconsider his earlier ruling. In all, the plaintiffs had asked the judge to clarify four questions with the state Supreme Court. Horny dismissed three of those requests but agreed to clarify one question.

"Whether time and effort spent mitigating or averting harm from actionable conduct...is alone sufficient to recover damages is uncertain under Maine law," wrote in a 16-page ruling. As a result, the Maine Supreme Court should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law, he wrote.

The Maine Supreme Court's ruling on the matter could have a significant impact on how other courts view the same issue going forward. Most courts have tended to dismiss a vast majority of the consumer class-action lawsuits brought in the wake of a data breach involving the compromise of credit and debit card data.

In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.

Read more about security in Computerworld's Security Knowledge Center.