Businesses that require their customers to disclose credit card and personal information beware. On October 20th, the U.S. Court of Appeals for the 1st Circuit held that claims by class action plaintiffs for "mitigation damages" arising from alleged negligence and breach of contract are viable under Maine law. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).
In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that more than 1,800 cases of fraud resulting from the theft had already been reported.
Following Hannaford's announcement, several financial institutions immediately cancelled customers' debit and credit cards. Some financial institutions refrained from immediately canceling the credit card, but monitored the accounts for unusual activity, and then cancelled the cards — in many cases without notifying the customer. Customers who asked that their cards be cancelled incurred fees from the issuing banks for the replacement cards.
Consequently, a class action complaint was filed against Hannaford alleging seven causes of action: (1) breach of implied contract, (2) breach of implied warranty, (3) breach of duty of a confidential relationship, (4) failure to advise customers of the theft of their data, (5) strict liability, (6) negligence, and (7) violation of the Maine Unfair Trade Practices Act (UTPA). The plaintiffs allege that they suffered damages as a result of the breach, including unauthorized charges, the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering preauthorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. The plaintiffs also claim damages for purchasing identity theft insurance and credit monitoring services.
In determining whether the plaintiffs sufficiently stated claims for relief, the district court divided the plaintiffs into three categories. The first group of plaintiffs, those who did not have fraudulent charges posted to their accounts, could not recover as claims for emotional distress were not recoverable under Maine law. The second category, comprising a single plaintiff who had not been reimbursed for fraudulent charges, could recover for actual losses. As to the third category, those plaintiffs who were reimbursed for fraudulent charges, the court held they could not recover their alleged consequential damages (i.e. overdraft fees, loss of accumulated reward points, and loss of opportunity to earn rewards points) as these damages were not reasonably foreseeable or were too speculative.
The plaintiffs thereafter moved to certify several questions to the Maine Supreme Judicial Court, namely whether, in the absence of physical harm or economic loss, time and effort to avoid or remediate a reasonably foreseeable harm constitute a cognizable injury under Maine law of negligence or implied contract? The Supreme Judicial Court, agreeing with the district court, answered this question in the negative. Upon no response being offered to show cause why judgment should not be entered in favor of Hannaford on all claims, the district court entered judgment in favor of Hannaford. The class plaintiffs appealed.
On appeal, the 1st Circuit held that the plaintiffs had adequately alleged theories of negligence and breach of implied contract. Under Maine law, generally speaking, the test for both contract and tort recovery is one of reasonable foreseeability. Furthermore, a plaintiff may recover costs incurred in a reasonable effort to mitigate. The court explained that the plaintiffs had alleged two forms of mitigation damages cognizable under Maine law with respect to the negligence and implied contract claims. The court held that it was foreseeable that a customer whose data had been breached would replace a card to mitigate against misuse of the card data. Furthermore, the court held that it was foreseeable that a customer would later purchase insurance to protect against data misuse.
At the same time, the 1st Circuit held that the district court was correct in finding that "the plaintiffs' claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization changes were not recoverable." According to the court, such damages "were too attenuated from the data breach because they were incurred as a result of third parties' unpredictable responses to the cancellation of plaintiffs' credit or debit cards."
In so holding, the 1st Circuit distinguished cases in other jurisdictions that held that, on the facts presented, the costs of credit monitoring and services and identity theft insurance were not damages available under a negligence theory. The court noted that, in several of those cases, the plaintiffs had not alleged that unauthorized charges had been made. In the absence of such allegations, these courts reasoned that there lacked a reasonable basis that such unauthorized charges would be made.
It is also worth noting that this decision was provided in response to a motion to dismiss and it remains to be seen as to whether the plaintiffs will be able to prove their alleged damages. Regardless, data holders should be cognizant that, at least under Maine law, mitigation damages are available to plaintiffs to complete claims for negligence and implied contract when allegations of unauthorized charges or identity theft have been made.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
