The Hannaford Data Breach Case Lives On. Lawyers Ask For Judge To Reverse Himself

Written by Evan Schuman
April 12th, 2013

Lawyers for consumers affected by a huge data breach involving the Hannaford grocery chain have asked a federal judge to reverse himself and to allow a class-action lawsuit against the grocer to proceed. In a twist, the attorneys are asking that any awarded money be given to bank officials, who would then—in theory—distribute it to victim consumers.

Lawyers wrote to U.S. District Court Judge D. Brock Hornby that the Hannaford case provides “an opportunity for the use of contemporary technology to ensure a very wide and complete distribution of the proceeds of any judgment or settlement directly to the persons harmed. Based on class certification discovery, it appears that the identity of each Class Member and the amount of his/her mitigating expenditure is recorded in electronic form by each of the card-issuing banks. In the event of a judgment or settlement, the recovery can be paid pro-rata to the banks, which can then electronically pro-rata credit the accounts of the Class Members, subject to a recipient’s right to reject the credit and opt out at the time of distribution. This can all be done without disclosure of the actual identity of any bank customer. It is hard to imagine that a card-issuing bank would not cooperate in a process that would provide cash benefits to its customers.”

No, it’s really not at all hard to imagine the likes of Chase Manhattan and Fifth Third not being at all cooperative with a new and untested method. This is especially true given that the consumer recipients are not likely to be expecting the payments nor would they likely know the exact size of those payments. Therefore, the normal emergency-backup way banks can learn of discrepancies—such as when customers call up screaming that their paycheck is 9 cents lower than it should be—might apply here.

But that all deals with handling the money from a successful class-action lawsuit. The only ruling the court has made on this thus far is to deny that class-action from even being formed.

A federal appellate panel has already weighed in on the original case, with more good news for retailers. The breach itself happened back in 2008 and was believed to have exposed some 4.2 million credit and debit cards and led to 1,800 initial reported cases of fraud.

The new argument the consumers’ lawyers made is that Hornby had declined the class certification because, in part, the lawyers’ points were not supported by expert testimony or expert evidence. The new filing argues that such expert testimony is not needed here.

“Plaintiffs submit that expert testimony is not necessarily needed to make the connection between the breach, its announcement, and the card cancellations and purchases of credit security products. That is a matter of common sense inference,” the filing said. “This is not like a medical causation case, where the causative relationship between exposure to a particular substance and subsequent medical harm must be established by expert testimony. The only reason advanced why an unusually large number of compromised cardholders cancelled their cards and bought credit security products right after becoming aware of the Hannaford breach is that they did so for the same reasons the Plaintiffs did, to mitigate the dangers of harm from fraudulent charges. Expert testimony will enable a degree of refinement and precision in the estimates, but is not required to establish the connection.”

The lawyers added: “In the absence of any other likely reason for the dramatic increase in insurance purchases and card cancellations, it is reasonable to infer that a large portion of these purchases and cancellations were efforts by the respective cardholders and their financial institutions to do the same thing that the Plaintiffs did, namely mitigate the effects of the breach on them. Hannaford has certainly had the opportunity to demonstrate that there were other explanations for dramatically increased insurance purchases or card cancellations for this particular customer group during these time periods and has failed to do so.”

Plaintiffs ask that the judge suspend his order denying the class certification and give them 60 days to prepare new evidence.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.