Appeals court says some claims may proceed in Hannaford data breach lawsuit
Consumers who paid for ID security measures may seek compensation, court rules
Computerworld - In a rare instance of a court siding with consumers in a data breach lawsuit, a federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit card numbers.
The U.S. Court of Appeals for the First Circuit last week ruled that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford.
The decision overturns an earlier decision by a district court in Maine which had held that consumers could not seek compensation from Hannaford because their alleged injuries stemming from the breach were too speculative and unforeseeable.
The ruling is noteworthy because "up until this point, many if not most courts have dismissed these consumer class actions on the basis that consumers did not have standing or the damages were too speculative," said Scott Vernick, an attorney in the Philadelphia office of Fox Rothschild.
But it could be a mistake to read too much into the decision, because it pertains to a somewhat specific set of circumstances, he added.
A Hannaford spokesman said the company does not want to comment on the ruling because there are still some issues under litigation.
The lawsuit, John Anderson et al. v. Hannaford Bros. Co., stems from a data breach at Hannaford that exposed 4.2 million credit and debit cards. The theft began in December 2007 but was not detected and disclosed by the company until March 2008. At the time of the disclosure, Scarborough, Maine-based Hannaford said it had detected about 1,800 of the compromised cards being used in a fraudulent manner. The company's disclosure prompted several banks to cancel and reissue credit and debit cards as a precautionary measure against fraudulent use.
Hannaford's disclosure of the breach also prompted several consumer class-action lawsuits. In all, 26 of those lawsuits were consolidated into one lawsuit in the U.S. District Court for the District of Maine. The lawsuit charged Hannaford with breach of implied contract, negligence, violation of Maine's unfair trade practices statute and four other causes of action.
The district court, like several other courts in similar cases, dismissed all but one of the claims. The only complaint that was allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
Consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law; neither could those who might have had fraudulent charges on their accounts that were later reversed, the district court judge had ruled.
In its ruling last week, the appellate court agreed with the district court's decision on almost all counts. However, it held that consumers who paid for credit monitoring services or to get their banks to reissue cards as a proactive security measure had a basis for making a claim against Hannaford.
"When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only," the court wrote in its opinion.
"Ordinarily, a customer does not expect -- and certainly does not intend -- the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract."
While the ruling is important, it only addresses the actual out-of-pocket costs that some consumers experienced as a result of the breach, Vernick said.
Many similar consumer class-action lawsuits have sought compensation for the alleged time and effort people needed to spend to get their cards reissued, change bank accounts, or sign up for credit monitoring services.
The appellate court's decision does not allow consumers to pursue damages that are largely speculative, Vernick said. "If you are the victim of a data breach, and there is a general threat of financial fraud or ID theft, you will still have a hard time recovering" damages from the breached entity, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- The Growing Demand for Rich Media This white paper discusses how IBM Customer Experience Suite Rich Media Edition can automate rich media workflows, from collaborating with creative agencies and...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Knowledge Center White Papers | Webcasts