Retail Data Breach Liability Shield May Get Gutted

In a move that has the potential to make it much more difficult for retailers to defend themselves against civil data breach lawsuits, the judge overseeing the Hannaford data breach case has reversed himself. The Maine Supreme Court is now involved.

For years, retailers involved in major data breaches had little to worry about from U.S. courts, thanks to credit card zero-liability programs. Those programs made sure that consumers didn't lose money from the breaches, which in turn made it almost impossible to successfully prosecute those retailers in civil courts. Civil courts are fundamentally based on making plaintiffs financially whole.

But there's now the possibility that those retail protections could go away, because a Maine judge—who is overseeing the data breach litigation involving Hannaford—has asked the state Supreme Court for permission to do so. This is the same judge who had earlier dismissed the accusations against Hannaford. But he has since changed his mind.

Specifically, Maine's highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a "substantial injury" for which they can be compensated.

The issue is a result of the litigation surrounding the 2007-2008 breach at the Hannaford supermarket chain. The request for a Maine Supreme Judicial Court review of the matter was made Monday (Oct. 5) by U.S. District Court Judge D. Brock Hornby, the jurist deciding whether to allow a class-action lawsuit against Hannaford by cardholders. The data theft at the retailer, which operates more than 200 stores, exposed 4.2 million credit and debit cards and led to 1,800 reported cases of fraud.

On May 12, Hornby rejected all but one of the claims against Hannaford, generally finding that the plaintiffs' banks protected them and prevented any consumer losses and ruling that he couldn't attach a monetary value to the consumers' other hassles and anxieties. However, the would-be class-action lawsuit plaintiffs kept the case alive by asking the judge to certify that a higher court should review parts of his ruling.

Although the judge denied the plaintiffs’ motion for higher court review of other plaintiff claims, including breach of implied contract, he granted their motion seeking review of the question regarding compensation for cardholder time and effort. The judge also dismissed the claim of the one remaining plaintiff that he did not reject on May 12, finding that she, like the others, suffered no financial loss.

In his order, Hornby limited the Maine Supreme Judicial Court's review to one narrow question: "Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?"

Hornby wrote that there long have been problems with the state's "economic loss doctrine," the part of the law at issue. "The contour and scope of the economic loss doctrine under Maine law have perplexed the federal courts in the District of Maine for some time," he wrote. "My colleague, Judge Carter, has aptly described the uncertainty that a district court faces whenever the economic loss doctrine figures" in a lawsuit.

In their appeal, the plaintiffs argued "that Maine law is uncertain as to whether their claimed damages for lost time and effort are recoverable," Hornby wrote. While there is no controlling case law, a 1977 Maine statute does recognize damages for time and effort spent "mitigating or averting harm from tortious acts." And, an appeals court in Massachusetts "held that such damages may be recovered in factual circumstances closely analogous to the plaintiffs’ [claims]," Hornby wrote.

However, the judge pointed out that Hannaford's lawyers cited "cases from other jurisdictions reaching the opposite conclusion." Therefore, Hornby said he was convinced that the high court "should be given the opportunity to determine whether such damages constitute a cognizable injury under Maine law."

In agreeing to ask for the Maine Supreme Judicial Court review of the matter, the judge noted that "if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim." As such, a case that many had figured was dead in the water could get a new shot at life.

"This is significant because [Hornby] recently struck down many of the claims by cardholders relating to injuries they might suffer in the future, such as possible higher credit scores, saying they were too speculative and too remote to warrant injury," said Mark Rasch, a lawyer who is the former head of the U.S. Justice Department’s High-Tech Crimes Unit and today serves as principal of Secure IT Experts. "What happens when a retailer suffers a data breach? Even if no cards are misused, you have a lot of consumers who may suffer a little bit of economic harm but a substantial amount of inconvenience. What the court has done here is kept open the possibility you may have to compensate them for their inconvenience."

If that door is indeed open, it could be the first of several pieces of bad news for retail data breach defendants. Such a ruling would likely give attorneys a way to introduce evidence of neglect and recklessness, issues that retailers have thus far been able to avoid. Compensation for lost time is one thing. But opening the door to a jury being able to apply punitive damages? That could make things a lot more expensive for retailers.