This is page 2 of:
During A Data Breach, Customers Will Stay—Unless You Alienate Them One At A Time
It is far cheaper to get a new card than to reimburse someone for a 70-inch, high-definition, 1080p, 3D-capable LED TV with surround sound bought with a compromised credit-card number. These “costs” are called reasonable mitigation costs.
In the Hannaford case, the merchant sought to have the court declare that the chain was not legally responsible for these costs. Sure, Hannaford reasoned, if your card number was actually used as a result of the compromise, it might have to reimburse. But the chain argued that the mitigation costs were too speculative, citing other cases where, for example, a data tape or laptop was lost and the court did not force the company losing the tape or machine to pay for credit-watch services for the thousands or millions of people whose names might have appeared on those lost tapes.
The Hannaford federal court correctly pointed out that what might be reasonable mitigation when there is a mere remote possibility of an identity fraud or identity theft is not the same as what is reasonable mitigation when there has been an actual theft of identity information by hackers who have used this type of information to commit identity theft and credit-card fraud. In such cases, card reissuance and credit-watch lists are perfectly reasonable and, therefore, should be compensated by the allegedly negligent merchant.
Hannaford won most issues in the case when the court ruled that the chain had no special “duty” to protect consumer data under Maine law and that many non-economic damages (e.g., not lost money) could not be recovered under the language of Maine’s consumer-protection statute. Hannaford also won when the court ruled that these speculative and remote losses (like anxiety over possible future fraud) could not be recovered under Maine law, which requires a person suing for consumer fraud to suffer a “loss of money or property.”
But even on the issue on which Hannaford “lost”—the issue of mitigation damages—it ultimately won by losing. Merchants need to understand that the “Otter Letter” is not a viable strategy for customer retention. It’s not a good idea to tell consumers, whose only problem is that they trusted you with their credit-card number, that they—not you—have to pay the reasonable costs of getting a new card. A better approach is to honestly tell them whether you think card cancellation or replacement or fraud-watch lists are appropriate in light of the nature of the breach. If it is a data tape sitting on a UPS truck somewhere in Des Moines, Iowa, with a bad tracking number, cancellation is unreasonable and overkill. In the Hannaford case, I probably would have cancelled my card, wouldn’t you?
To the extent the case mandates that merchants treat their customers right, the case should be unsurprising. For this we needed teams of lawyers?
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
