Retail Data Breach Liability Shield May Get Gutted

Written by Fred J. Aun
October 8th, 2009

In a move that has the potential to make it much more difficult for retailers to defend themselves against civil data breach lawsuits, the judge overseeing the Hannaford data breach case has reversed himself. The Maine Supreme Court is now involved.

For years, retailers involved in major data breaches had little to worry about from U.S. courts, thanks to credit card zero-liability programs. Those programs made sure that consumers didn’t lose money from the breaches, which in turn made it almost impossible to successfully prosecute those retailers in civil courts. Civil courts are fundamentally based on making plaintiffs financially whole.

But there’s now the possibility that those retail protections could go away, because a Maine judge—who is overseeing the data breach litigation involving Hannaford—has asked the state Supreme Court for permission to do so. This is the same judge who had earlier dismissed the accusations against Hannaford. But he has since changed his mind.

Specifically, Maine’s highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a “substantial injury” for which they can be compensated.

The issue is a result of the litigation surrounding the 2007-2008 breach at the Hannaford supermarket chain. The request for a Maine Supreme Judicial Court review of the matter was made Monday (Oct. 5) by U.S. District Court Judge D. Brock Hornby, the jurist deciding whether to allow a class-action lawsuit against Hannaford by cardholders. The data theft at the retailer, which operates more than 200 stores, exposed 4.2 million credit and debit cards and led to 1,800 reported cases of fraud.

On May 12, Hornby rejected all but one of the claims against Hannaford, generally finding that the plaintiffs’ banks protected them and prevented any consumer losses and ruling that he couldn’t attach a monetary value to the consumers’ other hassles and anxieties. However, the would-be class-action lawsuit plaintiffs kept the case alive by asking the judge to certify that a higher court should review parts of his ruling.

Although the judge denied the plaintiffs’ motion for higher court review of other plaintiff claims, including breach of implied contract, he granted their motion seeking review of the question regarding compensation for cardholder time and effort. The judge also dismissed the claim of the one remaining plaintiff that he did not reject on May 12, finding that she, like the others, suffered no financial loss.

In his order, Hornby limited the Maine Supreme Judicial Court’s review to one narrow question: “Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

Hornby wrote that there long have been problems with the state’s “economic loss doctrine,” the part of the law at issue. “The contour and scope of the economic loss doctrine under Maine law have perplexed the federal courts in the District of Maine for some time,” he wrote. “My colleague, Judge Carter, has aptly described the uncertainty that a district court faces whenever the economic loss doctrine figures” in a lawsuit.

In their appeal, the plaintiffs argued “that Maine law is uncertain as to whether their claimed damages for lost time and effort are recoverable,” Hornby wrote. While there is no controlling case law, a 1977 Maine statute does recognize damages for time and effort spent “mitigating or averting harm from tortious acts.” And, an appeals court in Massachusetts “held that such damages may be recovered in factual circumstances closely analogous to the plaintiffs’ [claims],” Hornby wrote.

However, the judge pointed out that Hannaford’s lawyers cited “cases from other jurisdictions reaching the opposite conclusion.” Therefore, Hornby said he was convinced that the high court “should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law.”

In agreeing to ask for the Maine Supreme Judicial Court review of the matter, the judge noted that “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.” As such, a case that many had figured was dead in the water could get a new shot at life.

“This is significant because [Hornby] recently struck down many of the claims by cardholders relating to injuries they might suffer in the future, such as possible higher credit scores, saying they were too speculative and too remote to warrant injury,” said Mark Rasch, a lawyer who is the former head of the U.S. Justice Department’s High-Tech Crimes Unit and today serves as principal of Secure IT Experts. “What happens when a retailer suffers a data breach? Even if no cards are misused, you have a lot of consumers who may suffer a little bit of economic harm but a substantial amount of inconvenience. What the court has done here is kept open the possibility you may have to compensate them for their inconvenience.”

If that door is indeed open, it could be the first of several pieces of bad news for retail data breach defendants. Such a ruling would likely give attorneys a way to introduce evidence of neglect and recklessness, issues that retailers have thus far been able to avoid. Compensation for lost time is one thing. But opening the door to a jury being able to apply punitive damages? That could make things a lot more expensive for retailers.


One Comment | Read Retail Data Breach Liability Shield May Get Gutted

  1. Michael Cherry Says:

    Short of a financial meltdown it is very difficult for judges to continue to ignore millions of angry citizens.

    The PCI concept of trying to block criminals from breaking in and then being confused and amazed after they got in, was incredibly naive. In simple terms, they need to provide a motion detector with its own alarm just in case a door or window is pried open.

    Michael Cherry, Cherry Biometrics Inc.
    Vice Chair, Digital Technology Committee
    National Association of Criminal Defense Lawyers


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.