PORTLAND, Maine (11/30/11)--An Oct. 20 federal appeals court ruling in the Hannaford Bros. supermarket credit and debit card breach in 2008 centered on whether steps to mitigate fraud from the breach were reasonable.
The U.S. Court of Appeals for the First Circuit in Maine reversed a lower court ruling and allowed consumers to sue the company for out-of-pocket expenses incurred to lessen the impact of the breach.
The unanimous decision includes costs to get new cards from financial institutions and the purchase of identity-theft insurance.
The Maine Supreme Judicial Court had ruled in September 2010 that the victims of the massive data breach could not sue for damages if they didn't suffer financial losses, physical harm or identity theft. It had said that time and effort alone do not constitute an injury for which damages may be recovered under Maine law (News Now Sept. 23).
In its reversal of that decision, the appellate court said: "The question then becomes whether plaintiffs' mitigation steps were reasonable. This is a contextual question, depending on the facts."
The appellate ruling went on to state: "Hannaford did not notify its customers of exactly what data, or whose date was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges. That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement cards as mitigation." Among those issuing new cards were credit unions.
Therefore, it was foreseeable that customers--knowing their debit or credit cards "had been compromised and that thousands of dollars of fraudulent charges had resulted from the security breach--would replace their cards to mitigate against misuse of card data," the court added.
The appellate court said it partly affirmed the lower court's decision and partly reversed it. "We affirm the district court's dismissal of all claims other than the plaintiffs' negligence and implied contract claims. We reverse the district court's dismissal of the plaintiffs' negligence and implied contact claims as to certain categories of alleged damages because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law."
It is estimated that the card numbers of more than four million people were stolen in the security breach, which occurred between Dec. 7, 2007 and March 10, 2008, when cyber criminals hacked into Hannaford's system and accessed card numbers used at 165 Hannaford supermarkets in the Northeast and 106 Sweetbay stories in Florida (News Now Nov. 21).
At least 1,800 numbers were used for unauthorized fraud. Hannaford discovered the breach in February 2008 and made it public March 17, 2008. Many credit unions were among the financial institutions that reissued new cards to consumers.