Data breach decision may go to Maine's high court
Judge seeks opinion on whether consumers can seek restitution for inconvenience of changing credit cards after a data breach
Computerworld - A federal judge in Maine is asking the state's Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach.
The case involves Hannaford Bros. which last year disclosed that unknown intruders had broken into its network and stolen data on more than 4.2 million credit and debit cards from its stores in New England, New York and Florida. The disclosure resulted in several lawsuits against the Maine-based retailer by consumers and banks seeking to recoup the costs associated with blocking and issuing new cards.
This May, U.S. District Court Judge Brock Hornby threw out almost all of the civil claims against the grocer that had been filed by consumers. The lawsuits had alleged that Hannaford had failed to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages.
The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
At the time, Hornby wrote that consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law. Neither could those who might have had fraudulent charges on their accounts that were later reversed.
This week, however, Hornby reversed that decision. He asked the Law Court, the highest court in Maine, to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.
The question stemmed from a motion filed by the plaintiffs in the case asking Hornby to reconsider his earlier ruling. In all, the plaintiffs had asked the judge to clarify four questions with the state Supreme Court. Horny dismissed three of those requests but agreed to clarify one question.
"Whether time and effort spent mitigating or averting harm from actionable conduct...is alone sufficient to recover damages is uncertain under Maine law," wrote in a 16-page ruling. As a result, the Maine Supreme Court should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law, he wrote.
The Maine Supreme Court's ruling on the matter could have a significant impact on how other courts view the same issue going forward. Most courts have tended to dismiss a vast majority of the consumer class-action lawsuits brought in the wake of a data breach involving the compromise of credit and debit card data.
In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!