Appeals court says some claims may proceed in Hannaford data breach lawsuit

Consumers who paid for ID security measures may seek compensation, court rules

In a rare instance of a court's siding with consumers in a data breach lawsuit, a federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit cards.

The U.S. Court of Appeals for the First Circuit last week ruled that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford.

The decision overturns an earlier decision by a district court in Maine which had held that consumers could not seek compensation from Hannaford because their alleged injuries stemming from the breach were too speculative and unforeseeable.

The ruling is noteworthy because "up until this point, many if not most courts have dismissed these consumer class actions on the basis that consumers did not have standing or the damages were too speculative," said Scott Vernick, an attorney with Fox Rothschild LLP in Pittsburgh.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In a rare instance of a court's siding with consumers in a data breach lawsuit, a federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit cards.

The U.S. Court of Appeals for the First Circuit last week ruled that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford.

The decision overturns an earlier decision by a district court in Maine which had held that consumers could not seek compensation from Hannaford because their alleged injuries stemming from the breach were too speculative and unforeseeable.

The ruling is noteworthy because "up until this point, many if not most courts have dismissed these consumer class actions on the basis that consumers did not have standing or the damages were too speculative," said Scott Vernick, an attorney with Fox Rothschild LLP in Pittsburgh.

But it would be a mistake to read too much into it because the decision pertains to a somewhat specific set of circumstances, he added.

A Hannaford spokesman said the company does not want to comment on the ruling because there are still some issues under litigation.

The lawsuit, John Anderson et al vs. Hannaford Bros. Co., stems from a data breach at Hannaford that exposed 4.2 million credit and debit cards. The theft began in December 2007 but was not detected and disclosed by the company until March 2008. At the time of its disclosure, Scarborough, Maine-based Hannaford said it had detected about 1,800 of the compromised cards being used in a fraudulent manner. The company's disclosure prompted several issuing banks to cancel and reissue credit and debit cards as a precautionary measure against fraudulent use.

Hannaford's disclosure of the breach also prompted several consumer class-action lawsuits. In all, 26 of those lawsuits were consolidated into one lawsuit in the U.S. District Court for the District of Maine. The lawsuit charged Hannaford with breach of implied contract, negligence, violation of Maine's unfair trade practices statute and four other causes of action.

The district court, like several other courts in similar cases, dismissed all but one of the claims. The only complaint that was allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.

Consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law; neither could those who might have had fraudulent charges on their accounts that were later reversed, the district court judge had ruled.

In its ruling last week, the appellate court agreed with the district court's decision on almost all counts. However, it held that consumers who paid for credit monitoring services or to get their banks to reissue cards as a proactive security measure had a basis for making a claim against Hannaford.