Maine Supreme Court Backs Retailers On Data Breach Liability

A unanimous ruling from the Maine Supreme Court Tuesday (Sept. 21) in the Hannaford data breach case lifted a year-long threat hanging over retailers. The court ruled that consumers' time and effort spent to clean up a cyberthief's damage need not be paid for by a breached retailer. But that protection won’t help much as retailers turn more to debit payments.

The case involves the final litigation surrounding the 2007 data breach against the 165-store Hannaford grocery chain. That breach exposed some 4.2 million payment cards to the cyberthief gang run by Albert Gonzalez.

The federal judge overseeing the civil lawsuits against Hannaford—U.S. District Court Judge D. Brock Hornby—initially ruled the same as have other federal judges handling other retail data breach cases, including the TJX litigation.

Hornby ruled that consumers suing Hannaford had to prove actual financial damages that were material before he would allow that portion of the case to continue. Behind much of this issue is the card brands' zero-liability programs, which inadvertently make it almost impossible to successfully sue a retailer for a breach. By crediting the losses from the frauds, zero-liability eliminates any material financial loss. Without such a loss, consumers can't proceed successfully in this type of civil lawsuit.

Attorneys for those consumers argued to Hornby that the losses in time and effort were significant and that those efforts, coupled with what they contended was Hannaford's negligence in protecting payment card data, made a civil ruling against the chain appropriate.

Hornby turned the consumers down, however, ruling that the losses were "too remote, not reasonably foreseeable and/or speculative" and that there was "no way to value and recompense time and effort." He added that such non-financial losses were merely "the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence."

After that ruling, consumer attorneys asked him to reconsider. Hornby set aside his decision and then asked the Maine Supreme Court to decide the matter. The court did so on Tuesday, and unanimously sided with Hannaford.

The exact question the Maine Supreme ruled on was: "In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?"The Supreme Court said a clear no. "The plaintiffs contend that because their time and effort represented reasonable efforts to avoid reasonably foreseeable harm, it is compensable. However, we do not attach such significance to mitigation efforts. An individual’s time, alone, is not legally protected from the negligence of others," the ruling said.

"The doctrine of mitigation of damages, or avoidable consequences, encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant’s negligence by prohibiting recovery for any damages that the plaintiff could reasonably have avoided. Unless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence. Contrary to the plaintiffs’ contention, our case law does not recognize time and effort as a compensable injury in the context of the plaintiffs’ negligence claim. We decline to expand recovery in negligence in these circumstances."

If the consumers' attorneys want to appeal, they could ask for a ruling from a federal appellate court or even the U.S. Supreme Court. Given the unanimity of the rulings of several federal judges in these data breach cases—plus the unanimous Maine Supreme Court ruling—it's unlikely a federal panel would agree to hear the case, let alone rule in the consumers' favor.

This decision is clearly favorable for retailers, but its applicability is limited to credit card losses. In debit card cases, the zero-liability protections do not currently exist, which means the potential for material consumer losses there is much greater. Even if the banks reimburse debit card consumers for fraudulent losses, they could sustain serious financial injury in the meantime, in the form of bounced checks and the fees and headaches associated with bouncing checks. Credit card temporary credits avoid almost all of those bounced check issues.

This is one of the key issues behind mobile payments. If some retailers embrace a mobile payment setup that sits atop debit cards—or other forms of direct bank account access—to minimize interchange fee costs, they might be opening up huge liability holes if a breach happens.