Maine court limits damage claims in data breach cases

Victims can't seek restitution unless they suffer actual losses, state Supreme Court says

Maine's Supreme Court has ruled that consumers affected by the data breach at supermarket chain Hannaford Bros. in 2008 cannot claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury.

The ruling is important because this marks the first time a court has ruled on whether consumers can claim compensation for the time and effort they put into changing their payment cards and bank accounts after a data breach.

The ruling also effectively puts an end to the class-action suit filed against the Scarborough, Me.-based supermarket chain in the wake of its data breach disclosure in March 2008.

The intrusion resulted in the theft of card holder data of about 4.2 million people. In many cases, the data was later fraudulently used. Several lawsuits were filed against Hannaford by consumers and by banks seeking restitution for various breach-related claims.

In May 2009, the U.S. District Court in Maine dismissed all of the consumer complaints against Hannaford. District Court Judge Brock Hornby, who heard the case, ruled that without actual loss of money or property, consumers really couldn't sue the supermarket chain.

The lawsuits had alleged that Hannaford was negligent in its duty to protect card holder data and failed to notify consumers of the breach in a timely fashion.

The only complaint Hornby allowed to proceed was one involving a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the breach.

The judge, however, reversed a portion of his ruling last October in response to a motion filed by the plaintiffs in the case. He agreed to let the state Supreme Court decide whether the plaintiffs could sue Hannaford for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

In an 11-page ruling on Tuesday, the Maine Supreme Court ruled that they could not.

"The tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life," Justice Joseph Jabar wrote for the court ( download PDF ). "An individual's time alone, is not legally protected from the negligence of others."

The ruling adds to the growing number of instances in which courts have flatly refused to consider consumer class-action lawsuits involving payment card data breaches.

In almost all the cases, the courts have held that consumers cannot sue companies for data breaches solely on the ground that the breach could result in future identity theft or financial losses. The only basis for a legal claim is if consumers actually suffer financial harm or other injury such as identity theft directly resulting from a breach, the courts have ruled.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon