Originally published on CyberInquirer.
Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for "mitigation damages" arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).
In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.
Following Hannaford's announcement, several financial institutions immediately cancelled customers' debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.
Not surprisingly, a class action complaint against Hannaford followed, alleging seven causes of action: (1) breach of implied contract; (2) breach of implied warranty; (3) breach of duty of a confidential relationship; (4) failure to advise customers of the theft of their data; (5) strict liability; (6) negligence; and (7) violation of the Maine Unfair Trade Practices Act (UTPA). The plaintiffs plead that they suffered damages as a result of the breach, including unauthorized charges, and "the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering preauthorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud." The plaintiffs also claimed damages for purchasing identity theft insurance and credit monitoring services.
In determining whether the plaintiffs sufficiently stated claims for relief, the district court divided the plaintiffs into three categories. The first group of plaintiffs, those who did not have fraudulent charges posted to their accounts, could not recover as claims for emotional distress were not recoverable under Maine law. The second category, comprised of the single plaintiff who had not been reimbursed for fraudulent charges, could recover for actual losses. As to the third category, those plaintiffs who were reimbursed for fraudulent charges, the court held could not recover their alleged consequential damages (i.e. overdraft fees, loss of accumulated reward points, and loss of opportunity to earn rewards points) as these damages were not reasonably foreseeable or were too speculative.
The plaintiffs thereafter moved to certify several questions to the Maine Supreme Judicial Court, namely whether in the absence of physical harm or economic loss, does time and effort to avoid or remediate a reasonably foreseeable harm constitute a cognizable injury under Maine law of negligence or implied contract? The Supreme Judicial Court, agreeing with the district court, answered this question in the negative. Upon no response being offered to show cause why judgment should not be entered in favor of Hannaford on all claims, the district court entered judgment in favor of Hannaford. The class plaintiffs appealed.
On appeal, the First Circuit held that the plaintiffs had adequately alleged theories of negligence and breach of implied contract. Under Maine law, generally speaking, the test for both contract and tort recovery is one of reasonable foreseeability. Furthermore, a plaintiff may recover costs incurred in a reasonable effort to mitigate. The First Circuit explained that the plaintiffs had alleged two forms of mitigation damages cognizable under Maine law with respect to the negligence and implied contract claims. First, the court held that it was foreseeable that a customer, whose data had been breached, would replace a card to mitigate against misuse of the card data. Second, the court found that it was foreseeable that a customer would later purchase insurance to protect against data misuse.
At the same time, the First Circuit held that the district court was correct in finding that "the plaintiffs' claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization changes were not recoverable." According to the court, such damages "were too attenuated from the data breach because they were incurred as a result of third parties' unpredictable responses to the cancellation of plaintiffs' credit or debit cards."
In so holding the First Circuit distinguished cases in other jurisdictions which held that, on the facts presented, the costs of credit monitoring and services and identity theft insurance were not damages available under a negligence theory. The court noted that, in several of those cases, the plaintiffs had not alleged that unauthorized charges had been made. In the absence of such allegations, these courts reasoned that there lacked a reasonable basis that such unauthorized charges would be made.
It is also worth noting that this decision was issued in response to a motion to dismiss and it remains to be seen as to whether the plaintiffs will be able to prove their alleged damages. Regardless, data-holders should be cognizant that, at least under Maine law, mitigation damages may be available to plaintiffs who can prove they have suffered forseeable and cognizable financial loss as a result of unauthorized charges or identity theft.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.