Wednesday, November 02, 2011

Customers Could Seek Costs of Mitigating Harm from Data Security Breach

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Customers of supermarket chain operator Hannaford could pursue claims for breach of implied contract and negligence under Maine law against Hannaford for failing to prevent a data security breach, the U.S. Court of Appeals in Boston has held.

The customers stated valid claims for damages based on the costs of replacing their credit and debit cards and of purchasing credit insurance after a breach resulted in the theft of an estimated 4.2 million debit and credit card numbers, expiration dates, PINs, and other personal information.

Mitigation Damages

The damages sought by the customers amounted to “mitigation damages,” the court said. These damages were reasonably foreseeable, and recovery for them had not been barred by Maine for policy reasons.

Under Maine common law, a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate its damages resulting from a defendant’s negligence, regardless of whether the harm is nonphysical. To recover mitigation damages, plaintiffs needed only show that the efforts to mitigate were reasonable and that those efforts constituted a legal injury, such as actual money lost, rather than time or effort expended.

The case involved a large-scale, sophisticated, apparently global criminal operation conducted over three months and the deliberate taking of credit and debit card information. There had been actual misuse of customer data by the thieves, the court noted. The data had been used to run up thousands of improper charges to customers’ accounts; the customers were subject to a real risk of financial loss, making their mitigation efforts reasonable.

By the time Hannaford had notified customers of the breach, over 1,800 fraudulent charges had been identified, and the customers could have reasonably expected that many more fraudulent charges would follow. The customers’ claims for identity theft insurance and replacement card fees involved actual financial losses from credit and debit card misuse. Such damages were recoverable in Maine under both tort law and contract law, according to the court.

The customers could not, however, recover damages for their claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization arrangements. These injuries were too attenuated from the data breach because they were incurred as a result of third parties’ unpredictable responses to the cancellation of the customers’ credit or debit cards, the court said.

Breach of Implied Contract

With regard to the customers’ claims for breach of an implied contract, the court determined that a jury could find that, in a grocery transaction in which a customer uses a debit or credit card, there was an implied contract that Hannaford would not use the credit card data for other people’s purchases, would not sell the data to others, and would take reasonable measures to protect the information.

A customer using a credit card in a commercial transaction intended to provide that data to the merchant only and did not expect the merchant to allow unauthorized third parties to access the data, the court said.

Breach of a Fiduciary Duty

The customers failed, however, to assert a claim for breach of a fiduciary duty. First, the customers did not have a “confidential relationship” with Hannaford that would give rise to a fiduciary duty, according to the court. The “trust and confidence” allegedly placed by the customers in Hannaford was not the type of trust and confidence contemplated by Maine’s common law. Such claims typically involved family relationships, joint ventures or partnerships, and lender/borrower relations in which one party had taken advantage of another for purposes of acquiring or using the other’s property or assets. No such relationship existed in this case.

Second, the grocery purchase relationship between the parties was not characterized by a disparity in bargaining positions. Hannaford did not have a monopoly on the sale of groceries and did not require the use of credit or debit cards.

Third, the customers failed to allege that Hannaford abused a position of trust, the court said. There was no suggestion in the complaint that Hannaford provided anything but a fair exchange in groceries in return for the customers’ payments or that Hannaford somehow took advantage of the system of allowing customers to use credit and debit cards.

Unfair Trade Practices

Hannaford’s failure to disclose the breach did not give rise to a cause of action under Maine’s Unfair Trade Practices Act, the court decided. The private remedies provision of the Act required that the plaintiff suffer a loss of money or property as a result of the defendant’s unlawful act. Maine’s highest court had interpreted the Act as only allowing private actions for “substantial” injuries. The private remedies provision was to be read narrowly, particularly when common-law actions for negligence and breach of implied contract were available.

The decision in Anderson v. Hannaford Brothers Co., appears at CCH Privacy Law in Marketing ¶60,687.

No comments: