Appeals court says some claims may proceed in Hannaford data breach lawsuit
Consumers who paid for ID security measures may seek compensation, court rules
Computerworld - In a rare instance of a court siding with consumers in a data breach lawsuit, a federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit card numbers.
The U.S. Court of Appeals for the First Circuit last week ruled that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford.
The decision overturns an earlier decision by a district court in Maine which had held that consumers could not seek compensation from Hannaford because their alleged injuries stemming from the breach were too speculative and unforeseeable.
The ruling is noteworthy because "up until this point, many if not most courts have dismissed these consumer class actions on the basis that consumers did not have standing or the damages were too speculative," said Scott Vernick, an attorney in the Philadelphia office of Fox Rothschild.
But it could be a mistake to read too much into the decision, because it pertains to a somewhat specific set of circumstances, he added.
A Hannaford spokesman said the company does not want to comment on the ruling because there are still some issues under litigation.
The lawsuit, John Anderson et al. v. Hannaford Bros. Co., stems from a data breach at Hannaford that exposed 4.2 million credit and debit cards. The theft began in December 2007 but was not detected and disclosed by the company until March 2008. At the time of the disclosure, Scarborough, Maine-based Hannaford said it had detected about 1,800 of the compromised cards being used in a fraudulent manner. The company's disclosure prompted several banks to cancel and reissue credit and debit cards as a precautionary measure against fraudulent use.
Hannaford's disclosure of the breach also prompted several consumer class-action lawsuits. In all, 26 of those lawsuits were consolidated into one lawsuit in the U.S. District Court for the District of Maine. The lawsuit charged Hannaford with breach of implied contract, negligence, violation of Maine's unfair trade practices statute and four other causes of action.
The district court, like several other courts in similar cases, dismissed all but one of the claims. The only complaint that was allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.
Consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law; neither could those who might have had fraudulent charges on their accounts that were later reversed, the district court judge had ruled.
In its ruling last week, the appellate court agreed with the district court's decision on almost all counts. However, it held that consumers who paid for credit monitoring services or to get their banks to reissue cards as a proactive security measure had a basis for making a claim against Hannaford.
"When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only," the court wrote in its opinion.
"Ordinarily, a customer does not expect -- and certainly does not intend -- the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract."
While the ruling is important, it only addresses the actual out-of-pocket costs that some consumers experienced as a result of the breach, Vernick said.
Many similar consumer class-action lawsuits have sought compensation for the alleged time and effort people needed to spend to get their cards reissued, change bank accounts, or sign up for credit monitoring services.
The appellate court's decision does not allow consumers to pursue damages that are largely speculative, Vernick said. "If you are the victim of a data breach, and there is a general threat of financial fraud or ID theft, you will still have a hard time recovering" damages from the breached entity, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Knowledge Center White Papers | Webcasts