Judge Revives Question of Retail Liability in Hannaford Breach Case
By Kim Zetter
October 9, 2009
1:36 pm
Categories: Breaches, The Courts
A federal judge in Maine this week reversed an earlier decision to dismiss a class-action lawsuit against Hannaford Brothers, and is asking the state’s Supreme Court to weigh in on whether a consumer’s loss of time in dealing with the after-effects of a data breach constitute actual losses worthy of compensation.
If the Supreme Court decides that such losses do merit compensation, it would tear down some of the protections that have shielded retailers from legal liability for data breaches.
Last May, U.S. District Court Judge D. Brock Hornby, who is overseeing the case involving a 2007-2008 breach of the Hannaford Brothers supermarket chain, ruled that breach victims were not entitled to restitution.
The breach resulted in 4.2 million credit and debit card numbers being exposed to hackers. Of these, about 1,800 account numbers are known to have been used for fraudulent purchases.
Consumers filed civil suits against Hannaford in several states for breaching an implied contract by failing to properly secure their data. The cases were consolidated into a single case in Maine, where Hornby tossed out all of the complaints except one in May on grounds that no contract existed between the plaintiffs and Hannaford, and the banks’ zero-liability policies protected the consumers from actual losses. He also ruled that the hassles and losses of time that consumers suffered in dealing with the breach didn’t constitute actual monetary losses.
The one suit he didn’t toss at the time involved a Vermont woman who was reportedly never reimbursed for her losses.
A Maine law covering breaches allows consumers to recover damages if the merchant’s negligence caused a direct loss to the consumer’s account.
Judge Hornby noted in his decision that, per the law, the merchant is liable for the loss only when its negligence “causes an unreimbursed fraudulent charge or debit against a customer’s account.” He added that “collateral consequences” are not covered under the state law.
The plaintiffs filed a motion at the time asking the judge to consider allowing the state’s Supreme Court to weigh in on whether the state breach law could be interpreted to allow a monetary value be placed on a consumer’s anxiety and loss of time.
Storefront Backtalk reports that on Monday, Hornby granted the plaintiff’s motion to seek a review of the law from the higher court. The question before the court is: “Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”
In his decision to seek the Supreme Court review, Hornby wrote that “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”
Subscribe to:
Post Comments (Atom)
This article brings up an interesting question; should people be able to sue companies for hassles and time losses? In my opinion, I'd say no. The problem with making people able to sue for hassles is where do you draw the line? What doesn't constitute as a hassle? Unless clear lines are drawn, I wouldn't be in support of this becoming a law.
ReplyDeleteI agree with Tom. Although as a consumer it would be great to be able to seek restitution from a company for the time and energy spent on the phone trying to get an issue resolved when the issue was clearly their fault, in the long run it would make the whole process more time consuming and expensive.
ReplyDeleteLegally, I do not think that the plaintiffs have either a negligence claim or an implied contract claim. As long as Hannaford had safeguards to prevent a data breach then they did not act negligently. Furthermore there is no implied contract between the plaintiffs and Hannaford as the conditions do not meet the requirements for an implied contract.