The First Circuit reversed the trial court’s dismissal of negligence and implied contract claims arising from a 2007 breach of Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit card and debit card numbers. Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011). http://www.ca1.uscourts.gov/pdf.opinions/10-2384P-01A.pdf. Since the first data breach class actions were filed, the issue of whether a plaintiff has suffered an actual injury to have Article III standing has been disputed. In early cases, e.g., Key v. DSW, Inc., 454 F.Supp.2d 684, 690 (S.D. Ohio 2006), District Courts found that an alleged increase in future risk of harm was insufficient. Certain Circuit Courts disagreed and found standing where the plaintiff alleged an increased risk of future harm, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). These cases were nonetheless dismissed unless the plaintiff alleged out-of-pocket expenses related to the breach. For example, where the plaintiff could not prove that the criminals had an interest in the data at issue, money spent to prevent identity theft could not be recovered.
In Hannaford, the First Circuit determined that out-of-pocket mitigation costs (such as credit insurance and fees associated with new credit cards) were reasonably foreseeable expenses and, therefore, were legally cognizable damages. The Hannaford system was targeted by a criminal enterprise which Hannaford admitted resulted in 1,800 fraudulent charges. The First Circuit distinguished the prior decisions on the ground that none involved allegations that any plaintiffs had suffered identity theft or actual misuse of credit card numbers (although not true as the Ninth Circuit found that only the plaintiff who had an incident of security theft had a claim - Stollenwerk v. Tri-West Heath Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007)). The First Circuit found it sufficient that plaintiffs had alleged they were aware that actual misuse occurred as to other card holders and so it was reasonable under Maine law for plaintiff to take action to militate against potential harm.
Class counsel has been learning from these decisions to better plead the complaint to avoid early motions to dismiss on the cognizable injury issue. So what should a company do in response? The Hannaford decision affirms a couple of points I have made previously. First, it is essential that the company targeted by the criminal attack take care in deciding whether a breach requiring notice actually occurred. "There has been a Data Security Breach, But is Notice Required," [Article Link]. Hannaford sent presumably the same notice to 4.2 million consumers even though there were only 1,800 fraudulent charges. Different forms of notices may create the need for sub-classes and a separate analysis as to the reasonableness of the plaintiffs’ response.
Similarly, the company should conduct a thoughtful and thorough forensic analysis of the breach. Interestingly, the First Circuit placed the burden on Hannaford in concluding that “there was [no] way to sort through to predict whose accounts would be used to ring up improper charges. By the time Hannaford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.” A strong forensic study along with tactical decisions on notice (both content and recipients) could help address the findings in Hannaford and the related class action exposure.