Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., — F.3d —, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).
As alleged by the plaintiffs in their class-action complaint, the Hannaford Brothers grocery store chain suffered a data breach resulting in 1800 fraudulent charges worldwide and hackers stealing up to 4.2 million credit and debit card numbers, expiration dates, and security codes of its customers. Id. at *1. Plaintiffs claimed they were victims of the breach and brought various claims against the chain, alleging they suffered losses including replacement card fees, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. Id. at *2. The lower court rejected these claims and entered judgment for Hannaford. Id. at *3.
On appeal, the First Circuit held that plaintiffs could proceed on two of their claims: breach of implied contract and negligence. Id. at *5, *13. In particular, “a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people’s purchases, would not sell the data to others, and would take reasonable measures to protect the information.” Id. Further, on the question of damages, the Court ruled that Maine law allowed recovery of nonphysical damages that were reasonably foreseeable, and incurred during a reasonable effort to mitigate, so long as the efforts constituted a legal injury, such as actual money lost, rather than time or effort expended. Id. at *8-*9. The Court concluded that it was foreseeable, “on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data.” Id. *11. It also was deemed foreseeable “that a customer who had experienced unauthorized charges to her account . . . would reasonably purchase insurance to protect against the consequences of data misuse.” Id.
Other damages, however, such as loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization charges were not recoverable because “[t]hese injuries were held to be too attenuated from the data breach because they were incurred as a result of third parties’ unpredictable responses to the cancellation of plaintiffs’ credit or debit cards.” Id. at *13.
The Hannaford decision shows how common law claims might be used by data-breach victims under some circumstances to seek compensation for a breach. Damages doctrines used for common law torts may limit recovery, however, allowing some—but not all—of a plaintiff’s claimed damages to be part of a lawsuit.