United States Appellate Court Affirms Corporate Liability for Loss of Credit Card Information

John Blumenschein The United States Court of Appeals for the First Circuit ruled that plaintiffs could proceed on a cause of action, which would allow them to recover damages for expenses incurred as a result of mitigating the loss associated with compromised credit card information in Anderson v. Hannaford Brothers Co., 2011 WL 5007175 (C.A.1 (Me. Oct. 20, 2011)).

The plaintiffs are a group of customers who had their credit card information stolen from a database maintained by the defendant Hannaford Brothers Co., a national grocery store chain. In total, 4.2 million credit and debit card numbers had been compromised. The breach occurred as early as December of 2007, was discovered by the company on March 8, 2008 and contained on March 10, 2008.

Hannaford announced that at least 1,800 cases of fraud resulted from the theft of the credit and debit card data. Individuals who had credit and debit card information stolen filed a class action lawsuit against Hannaford, alleging seven causes of action, including negligence and breach of implied contract. The district court eventually dismissed all the claims against Hannaford. As a result, the plaintiffs appealed the dismissal of their negligence, breach of implied contract, and uniformed trade practices claims to the First Circuit.

The plaintiffs alleged they should be able to recover the costs associated with mitigating the theft of their credit card information because Hannaford’s negligent actions. In cases that do not involve physical harm, a party in Maine can recover if the actions taken by those mitigating the damage from the negligent harm was reasonably foreseeable—this means that a plaintiff may recover costs for “’harms incurred during a reasonable effort to mitigate’ regardless of whether the harm is nonphysical.” In order to mitigate loss as a result of the security breach at Hannaford, the plaintiffs needed to show that efforts were reasonable and that actual monetary loss occurred, rather than merely time or effort undertaken to mitigate; i.e., a plaintiff must show an actual monetary injury in order to recover mitigation damages.

The First Circuit concluded that in order to determine whether the plaintiff’s mitigation steps were reasonable, the factual context is the proper inquiry in this case. The court noted that a sophisticated large scale crime was committed, in which millions of credit card numbers were stolen. In this case, there was actual misuse of financial information as a result of the theft of data. There was a real risk to the victims, not a speculative risk of monetary damage. The court stated the fact that banks cancelled and issued new cards was evidence that issuing replacement cards was reasonable mitigation.

The First Circuit ruled that fees associated with obtaining a replacement card to prevent fraudulent charges were reasonably associated with mitigation. Additionally, if a card had actually been used fraudulently, then the purchase of insurance against misuse was reasonably foreseeable mitigation. The court also stated that in this case actual injury resulted, which allowed for mitigation. Other courts have issued decisions were no recovery was granted for mitigating loss, but in those cases there was no injury in fact; the injury was purely speculative.

Earlier this year, we discussed Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. Dec. 14, 2010), in which the United States Court of Appeals for the 9th Circuit ruled that a class action lawsuit could proceed when a company-owned laptop was stolen, even though the data was not misused (see the blog post here). Although Anderson v. Hannaford is a case that deals with a much more sophisticated and large scale data breach (as well as actual injury on the part of the plaintiffs), these cases are significant because they demonstrate how, no matter how large or small, companies can be held liable for data breaches. And if failure to have adequate security measures to protect against a sophisticated attack by hackers is negligence — then there will be more class actions like Anderson v. Hannaford down the road.

No comments :

Post a Comment