BOSTON (10/28/11)--Retailers could be could be responsible for replacement payment cards and identity-theft insurance in the event of data breaches under a federal appellate panel ruling made Wednesday.
In Anderson v. Hannaford Bros. Co., U.S. Court of Appeals First Circuit reversed a decision that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford's electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers.
The First Circuit's decision suggests credit and debit card payment processors could be at a higher risk than previously thought of facing class action claims in the wake of data breaches (Oregon Business Report Oct. 27).
A Maine Supreme Judicial Court ruled in September 2010 that victims of the massive data breach that hit Hannaford Bros. supermarkets in 2008 cannot sue for damages if they did not suffer financial losses, physical harm or identity theft (News Now Sept. 23, 2010).
The Hannaford breach occurred between Dec. 7, 2007, and March 10, 2008, when cyber criminals hacked into the grocery store chain's system and accessed card numbers used at 165 Hannaford supermarkets in the Northeast and 106 Sweetbay stores in Florida. Of the four million cards compromised, at least 1,800 numbers stolen were used for unauthorized fraud. The breach was discovered Feb. 27, 2008, and made public March 17, 2008 (News Now April 3, 2009).
The breach caused many credit unions to reissue credit cards to members whose information was compromised. It also resulted in more than 24 lawsuits filed against Hannaford and its parent company, Delhaize America Inc. The cases were consolidated into one central complaint. Attorneys had sought damages for time and money lost as well as damages because Hannaford allegedly knew about the breach three weeks before it was made public. The delay, said attorneys, exposed consumers' accounts to more fraud (News Now Aug. 1, 2008, and April 3, 2009).