Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers’ data, plaintiffs’ lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

Factual and Procedural Background

Anderson v. Hannaford Brothers, Co., which consolidated 26 separate law suits against the supermarket chain, stems from a 2007 breach where hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes (notably, they did not steal customers’ names). Hannaford announced the breach in March 2008, noting that it had already received reports of approximately 1,800 cases of fraud resulting from the breach. Following Hannaford’s announcement, some financial institutions canceled customers’ credit and debit cards, and issued new cards, while others did not, indicating that they would monitor customer accounts for unusual activity. Some customers who requested that their cards be canceled were required to pay fees for replacement cards, and others purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.

The plaintiffs alleged seven causes of action, including breach of implied contract; breach of implied warranty; breach of duty of a confidential relationship; failure to advise customers of the theft of their data; strict liability; negligence; and violation of Maine’s Unfair Trade Practices Act (UTPA). The District Court granted Hannaford’s motion to dismiss as to 20 of the 21 plaintiffs. (One plaintiff was allowed to proceed because she was the only plaintiff to allege unreimbursed fraudulent charges to her account.) The District Court held that the other plaintiffs failed to state claims under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability and failure to notify customers of the data breach. And although plaintiffs did adequately allege breach of implied contract, negligence and violation of UTPA, the plaintiffs’ alleged injuries were "too remote, not reasonably foreseeable and/or speculative" to be recognized under Maine law. In addition, the district court determined that "there was no way to value or compensate the time and effort that customers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen."

Following the District Court’s decision, the plaintiffs moved to certify several questions to the Maine Supreme Judicial Court. The District Court certified two questions, and only one was answered by the Maine Supreme Judicial Court (the second was deemed moot based on the answer to the first question). The certified question read: "[i]n the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?"

The Maine Supreme Judicial Court answered the question in the negative, agreeing with the District Court that time and effort alone do not constitute a cognizable claim under Maine law. After ordering the parties to show cause why judgment should not be entered in favor of Hannaford on all claims, the District Court ordered judgment in favor of Hannaford.

The First Circuit Decision

Plaintiffs appealed the District Court’s decision regarding the fiduciary duty, breach of implied contract, negligence and Maine UTPA claims. The First Circuit held that plaintiffs adequately alleged theories of negligence and breach of implied contract, and that those claims should survive Hannaford’s motion to dismiss.

Negligence: The First Circuit adopted the Restatement (Second) of Torts sec. 919, which provides that "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." The Court also noted that, as a matter of policy, Maine law encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant’s negligence. To recover mitigation damages, plaintiffs must show that efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.

After reviewing decisions of other jurisdictions that have adopted the Restatement (Second) of Torts sec. 919, the Court considered whether the plaintiffs’ mitigation steps were reasonable, and stated that "[i]t was foreseeable, on these facts that a customer, knowing that her credit or debit card had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data." The court thus held that "[p]laintiffs’ claims for identity theft and replacement card fees involve actual financial losses from credit and debit card misuse. Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable."

Implied Contract: The First Circuit held that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford (1) would not use the credit card for other people’s purchases; (2) would not sell the data to others; and (3) would take reasonable measures to protect the information.

The First Circuit held that other arguments asserted by plaintiffs must fail.

Fiduciary/Confidential Relationship: Plaintiffs argued that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information. The First Circuit agreed with the District Court that the plaintiffs’ argument must fail, and that Hannaford does not owe a fiduciary duty to its customers. The First Circuit reasoned that (1) the plaintiffs have not shown the trust and confidence contemplated by Maine confidential relationship cases; (2) the plaintiffs have not plead facts demonstrating disparate bargaining power between the plaintiffs and Hannaford; and (3) the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust.

Maine UTPA: After a lengthy discussion of the availability of a private right of action under UTPA, the First Circuit rejected plaintiff’s UTPA claim, stating that "[i]t seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the right of private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence or other theories."

Implications

While it will likely be quite some time before we know how this case will ultimately be resolved, Anderson v. Hannaford should put companies on notice that out-of-pocket costs incurred to mitigate losses resulting from a data breach may result in viable damages claims.