Data breach decision may go to Maine's high court
Judge seeks opinion on whether consumers can seek restitution for inconvenience of changing credit cards after a data breach
Computerworld - A federal judge in Maine is asking the state's Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach.
The case involves Hannaford Bros. which last year disclosed that unknown intruders had broken into its network and stolen data on more than 4.2 million credit and debit cards from its stores in New England, New York and Florida. The disclosure resulted in several lawsuits against the Maine-based retailer by consumers and banks seeking to recoup the costs associated with blocking and issuing new cards.
This May, U.S. District Court Judge Brock Hornby threw out almost all of the civil claims against the grocer that had been filed by consumers. The lawsuits had alleged that Hannaford had failed to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages.
The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
At the time, Hornby wrote that consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law. Neither could those who might have had fraudulent charges on their accounts that were later reversed.
This week, however, Hornby reversed that decision. He asked the Law Court, the highest court in Maine, to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.
The question stemmed from a motion filed by the plaintiffs in the case asking Hornby to reconsider his earlier ruling. In all, the plaintiffs had asked the judge to clarify four questions with the state Supreme Court. Horny dismissed three of those requests but agreed to clarify one question.
"Whether time and effort spent mitigating or averting harm from actionable conduct...is alone sufficient to recover damages is uncertain under Maine law," wrote in a 16-page ruling. As a result, the Maine Supreme Court should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law, he wrote.
The Maine Supreme Court's ruling on the matter could have a significant impact on how other courts view the same issue going forward. Most courts have tended to dismiss a vast majority of the consumer class-action lawsuits brought in the wake of a data breach involving the compromise of credit and debit card data.
In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts