October 27, 2011
In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable--Anderson v. Hannaford Bros.
[Post by Venkat Balasubramani]
Anderson v. Hannaford Brothers Co., 10-2384; 2450 (1st Cir. Oct. 20, 2011)
Background: Plaintiffs sued Hannaford based on a massive data breach in 2007. In this ruling, the First Circuit said that money spent by plaintiffs to obtain replacement credit cards and for credit monitoring could be considered reasonable mitigation efforts and was therefore legally compensable.
The court recounts the facts underlying the data breach, which is reportedly one of the largest ever. In late 2007, hackers stole up to 4.2 million credit card numbers, expiration, and security codes. Visa notified Hannaford in February 2008, and Hannaford publicly announced the breach on March 17, 2008. At the time it made the announcement, Hannaford knew of some 1,800 cases of fraud resulting from the breach--the unauthorized charges in question "originated in locations across the globe, including New York, Spain, and France."
Affected customers fell into a few different categories. Some financial institutions immediately cancelled their customers' cards and issued replacements. Others did not cancel the card but monitored accounts. Some customers requested that their cards be cancelled but had to pay fees. Other customers also purchased identity theft insurance.
Twenty six different lawsuits were filed against Hannaford, which were consolidated in the District of Maine. The consolidated complaint alleged that fourteen of the named plaintiffs had unauthorized charges on their accounts, seventeen of the named plaintiffs had their cards cancelled, and two of the plaintiffs requested that their issuers give them replacement cards. Plaintiffs alleged seven causes of action, including breach of contract, breach of an implied warranty, negligence and unfair trade practices. They also alleged a variety of different injuries, including:
the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud.
Plaintiffs also claimed damages for "the cost of purchasing identity theft/card protection and credit monitoring services."
District Court Proceedings: The district court split the plaintiffs into three different categories. The first category was composed of customers who did not have fraudulent charges posted to their account and the district court held that they were not entitled to relief. The second group was composed of plaintiffs who incurred unreimbursed financial charges. The court said that these plaintiffs could recover. However, during the pendency of the litigation, the single plaintiff who had an unreimbursed charge advised that the charge was reversed.
The last category was composed of customers who experienced unauthorized charges but whose charges were reversed. The district court said that the losses suffered by these customers were "too remote, not reasonably foreseeable, and/or speculative (and under the [trade practices statute] not a 'substantial injury')." (Here's my earlier blog post on the district court ruling: "Hannaford Data Breach Plaintiffs Rebuffed in Maine.") After the court's ruling, plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The key question, which the court answered in the negative, was whether "time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm" was a cognizable injury under negligence or breach of contract theories. (Here's a brief post discussing this ruling: "Two More Courts Close the Doors on Data Breach Plaintiffs.")
First Circuit: The court rejects plaintiffs' cause of action for breach of fiduciary duty, finding that the relationship between a grocery store and customer is not sufficiently imbued with trust or unequal bargaining power for the court to impose fiduciary obligations on Hannaford. The court also rejects plaintiffs' claims under Maine's unfair trade practices act, finding that the statute does not provide for a private cause of action in these circumstances. The court does recognize plaintiffs' implied contract and negligence claims. Although the court finds that plaintiffs can assert two different bases for recovery (negligence and implied contract), the court focuses on what types of damages are recoverable.
The court says that the costs of procuring replacement cards and credit insurance are recoverable as reasonable mitigation damages. The court looks to the Restatement of Torts (section 919) and its treatment in other contexts (construction and environmental cases) and says that the key question is whether the amounts expended are reasonable when made, even if they turn out to be excessive when viewed in hindsight. In the context of this case, plaintiffs' mitigation efforts were reasonable. Plaintiffs' credit card data was stolen by a sophisticated group of thieves who not only intended to misuse the data, they actually did. The court contrasts these facts with other data breach cases where there had been no obvious malfeasance or no actual misuse of the data. Further evidence of the reasonableness of plaintiffs' efforts was the fact that some banks actually issued replacement cards. The court holds that even if plaintiffs did not experience any unauthorized charges, it was reasonable under the circumstances to pay to have their card replaced.
While the court finds that the replacement card and identity theft fees are recoverable, the court affirms the district court ruling with respect to the remaining categories of damages. These include the claims based on loss of rewards points, fees for pre-authorization charges (etc.).
This is not the first court to say that credit monitoring may be an appropriate response to a data breach. In Ruiz v. Gap, the Ninth Circuit analogized to toxic chemical exposure and noted that in certain circumstances, the costs for monitoring credit activity following a data breach may be recoverable. ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") In that case, defendant had offered credit monitoring services and plaintiffs failed to explain why they were inadequate, so the Ninth Circuit did not end up expressly deciding the issue.
Although I'd chalk this up as a win for data breach plaintiffs, it's a slight one. The court's ruling appears limited to credit cards and the court relies heavily on the fact that the prospects of misuse were significant and had actually occurred. The court notes: "where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from a theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable." The court also ends up disapproving the bulk of the requested damages. At a minimum, the fact that the court disapproves of damages such as time spent dealing with remedial efforts, damages relating to rewards programs, and for emotional distress is significant. There's no prospect of a damage free-for-all. In fact, in the event of this type of a breach, the prospective defendant(s) can limit their liability by covering the costs of free credit monitoring services and the costs of replacement cards.
The court mentions in a footnote that cardholders are probably limited in their exposure to unauthorized charges due to the Truth in Lending Act. Hannaford argued that the card issuers have instituted "zero-liability protection," which means that customers are not liable for unauthorized charges, but the court says that this does not matter. It would still be reasonable for customers to attempt to mitigate harm to themselves in these circumstances.
A big question is what this means for other privacy plaintiffs in terms of Article III standing. In concluding that plaintiffs may move forward, the court points out the fact that plaintiffs suffered "actual financial losses." Thus, plaintiffs who allege anything other than actual financial losses (e.g., Facebook privacy plaintiffs) would still face an Article III standing hurdle under this case.
Earlier posts on Hannaford:
Related (data breach) posts:
"Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks"
"Two More Courts Close the Doors on Data Breach Plaintiffs"
"9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap"
"The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt"
"Acxiom Not Liable for Security Breach"
Posted by Venkat at October 27, 2011 08:38 AM | Privacy/Security