October 07, 2010
Two More Courts Close the Doors on Data Breach Plaintiffs
[Post by Venkat]
There are a slew of cases that reject data breach claims brought by plaintiffs who have not suffered out of pocket losses. Recently, courts in Maine and Oregon joined the group of courts rejecting such claims.
In re Hannaford Bros Co. Customer Data Security Breach Litigation, (Maine Supreme Court; Sept. 21, 2010): This is one of the cases arising out of the compromise of Hannaford Bros. computer system (which resulted in the theft of "up to 4.2 million debit and credit card numbers, expiration dates, security codes, PINs and other information"). The merchants and service providers (and insurance companies) sparred separately, but this case involved claims asserted by affected customers. A group of 21 plaintiffs filed a lawsuit. Of these, one had a non-reimbursed or unresolved credit card charge, and the other plaintiffs had either not experienced any unauthorized charges or their charges had been resolved. Hannaford moved to dismiss, and the federal district court (where the case was originally filed) dismissed the bulk of the claims. (An earlier post of mine has some details of the district court decision: "Hannaford Data Breach Plaintiffs Rebuffed in Maine.") After the district court's ruling, the only plaintiff who suffered out of pocket loss had the charges reimbursed by the bank. The plaintiffs then moved for reconsideration, asserting that time and effort expended to "avoid or remediate" harm was sufficient damages under Maine law. The plaintiffs also moved to have the district court certify this issue to the Supreme Court of Maine.
The Maine Supreme Court answered the certified question in the negative, holding that "time and effort alone, spent in a reasonable effort to avoid reasonably foreseeable harm, is [not] a cognizable injury under" Maine law. The court notes that plaintiffs are required to mitigate damages, and in certain circumstances, plaintiffs are allowed to recover for their mitigation efforts. However, the court concludes that plaintiffs must "establish that the time and effort expended constitute a legal injury rather than an inconvenience or annoyance."
Paul v. Providence Health System-Oregon, (Ore. Ct. App. Oct. 6, 2010): this case involved the theft of patient care information, which was stolen as a result of an employee's decision to take data-laden disks and tapes home and leave them in his car overnight. [I'm guessing he will never leave anything valuable overnight in a vehicle ever again.] "The disks and tapes contained unencrypted patient records for approximately 365,000 individuals; the records included names, addresses, phone numbers, social security numbers, and patient care information." Plaintiffs asserted claims under negligence and an unfair trade practices statute.
The court cited to Oregon precedent rejecting claims brought by smokers who sought to recover for the increased risk of developing lung cancer. In rejecting the smokers' claims, the Oregon Supreme Court held that increased risk of future physical injury is not a cognizable injury in the negligence context, and that the economic cost of ongoing medical monitoring was not a sufficient injury to provide a basis for a negligence claim. Focusing on the second issue, the court framed the issue as whether a special relationship existed between the plaintiffs and Providence that warranted a departure from the general rule that you cannot recover for purely economic damages from a stranger. According to the court, the exception arises where there is a "special relationship" between the parties, for example where one party has "relinquished control over the subject matter of the relationship to the other party." Plaintiffs pointed to laws that required physicians to preserve the confidentiality of patient information, but the court held that this duty gave rise to a claim where there is an "affirmative disclosure" of confidential information, which the court awkwardly distinguished from the present case, which involved a mere failure to safeguard.
Finally, the court also dismissed the unfair trade practices claim brought by plaintiffs on the basis that plaintiffs did not allege "ascertainable losses."
Neither decision is particularly groundbreaking. I recently blogged about Ruiz v. Gap, which arrived at the same result ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap"), but this is a relatively well established trend. Both courts engage in judicial contortions (that seemed strained at certain points) to arrive at the same conclusion: no out of pocket loss = no claim. Interestingly, neither the Hannaford case nor the Providence Health case contain much discussion of credit monitoring services, which many data breach defendants offer as a matter of course.
Related: Professor Solove at Concurring Opinions wrote a post in reaction to the Hannaford ruling that warrants some additional discussion: "Are People Really Harmed By a Data Security Breach?" I'll save that for a later post, hopefully this week.
Previous blog posts on data breach cases:
Acxiom Not Liable for Security Breach--Bell v. Acxiom (Oct. 2006)
Posted by Venkat at October 7, 2010 10:05 AM | Privacy/Security