Customers Could Sue Grocer Only if Damaged by Data Breach

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Customers of Maine-based supermarket chain Hannaford could pursue claims for breach of implied contract, negligence, and unfair trade practices under Maine law against the chain for failing to prevent a data security breach and for failing to notify them of the breach, but only if they could establish actual damages, according to the federal district court in Portland, Maine.

The alleged security breach resulted in the theft of an estimated 4.2 million debit and credit card numbers, expiration dates, PINs, and other personal information belonging to Hannaford customers.

Lawsuits over the breach from six states—Florida, Maine, New Hampshire, Massachusetts, New York, and Vermont—had been consolidated into a single case before the Maine court.

Breach of Implied Contract

The customers asserted that, at the point of a grocery sale, a merchant and customer implicitly agree that the merchant will guarantee the security of the customer's electronic data.

Although the court rejected the argument that Hannaford had made an implied commitment to prevent every intrusion under any circumstances whatsoever, the court concluded that a jury could find that there was an implied contractual term that Hannaford would use reasonable care in its custody of the customer's card data.

Negligence

Hannaford's assertion that the "economic loss" doctrine barred the customers from pursuing claims for negligence under Maine law was rejected.

Courts in some jurisdictions had applied the economic loss doctrine to prevent tort recovery for purely economic damages incurred by parties to a contractual relationship, unless there was also personal injury or property damage. Courts in Maine, however, did not apply the doctrine this broadly. The doctrine in Maine was limited to claims seeking tort recovery for a defective product's damage to itself.

Unfair Trade Practices

Failure to disclose the breach to customers could have been an unfair or deceptive practice, for purposes of Maine's Unfair Trade Practices Act (UTPA), the court said.

A jury could find that, if Hannaford had disclosed the breach immediately upon learning of it, customers would not have purchased groceries at its stores with debit and credit cards during the period between discovery of the breach (February 27, 2008) and containment of the breach (March 10, 2008). This nondisclosure would be an omission that was important to consumers and likely to affect their conduct regarding a product.

In addition, the Federal Trade Commission's pursuit of more than 20 complaints against corporations—including several retailers—for failing to use reasonable and appropriate security measures to prevent unauthorized access to personal information stored on computer networks supported accepting the customers' allegations as stating a claim under Maine's UTPA, the court reasoned.

Actual Damages

Each customer would be able to recover against Hannaford only if Hannaford's misconduct caused a direct loss to the customer's account. Consumers who did not have a fraudulent charge actually posted to their account could not recover; the only harm they could assert was the emotional distress that their accounts might be in peril, which was not actionable in the absence of monetary damages.

Consumers who had fraudulent charges posted to their accounts that were subsequently reversed and were no longer outstanding could not seek damages for alleged consequential losses, such as overdraft fees or a bank loan to cover them, a fee for insisting on changing an account when the issuing bank thought it was unnecessary, loss of accumulated reward points, time spent in convincing the issuing bank to reverse charges, or temporary lack of access to funds and inability to use a credit or debit card.

These alleged damages were too remote, not reasonably foreseeable, and speculative, in the court's view.

The decision is In re Hannaford Bros. Co. Customer Data Security Breach Litigation, CCH Privacy Law in Marketing ¶60,336.