New Class-action Case Offers New Theories
Hannaford Bros. Co., a grocer, faced a number of class-action lawsuits from its customers as a result of a third party stealing electronic payment data from credit cards and debit cards used by its customers to purchase groceries. The alleged data breach impacted over 4,000,000 of Hannaford's consumers. The lawsuits were consolidated into one multi-district litigation in the U.S. District Court for the District of Maine. The case offers some interesting guidance regarding the current contours of privacy litigation. While the Court dismissed the majority of pending claims against Hannaford, certain claims were allowed to remain pending. While the decision reinforces the general thought that privacy litigation in many cases faces difficult hurdles, the decision allows the door to remain open for certain causes of action related to privacy violations.
The plaintiffs brought a number of claims, including claims for breach of implied warranty, breach of confidential relationship, failure to advise of the breach (independent of the existing statutory requirements), and strict liability. The District Court followed these cases and dismissed the breach of implied warranty, breach of confidential relationship, failure to advise of the breach, and strict liability claims. However, the District Court found that certain claims, including breach of implied contract, negligence, and a claim arising from Maine's unfair trade practices statute could potentially be stated, and these claims were not dismissed by the court. Part of the basis for this ruling by the District Court was its belief that there could be an implied term when a consumer purchases goods that a seller will take reasonable measures to protect information. Of relevance to the District Court were the FTC's data security enforcement actions brought under its "unfairness" authority, which do not require a representation regarding security and instead rely upon the argument that a lack of data security is independently violative of Section 5 of the FTC Act.
However, the District Court then considered the damage issues in the case and followed a line of reasoning that began with Trikas v. Universal Card Services Corp., 351 F. Supp. 2d 37 (E.D. N.Y. 2005), in which the court rejected a plaintiff's claim for violation of the Fair Credit Reporting Act. In Trikas, the plaintiff brought an action based upon the assertion that an account erroneously remained open on his credit report. The plaintiff claimed that he suffered emotional distress because of this, even though it was admitted that no creditor actually saw, or relied upon, the erroneous information. Ultimately, the court dismissed the claim because the plaintiff could not prove damages that were caused by the alleged violation. The court in Forbes v. Wells Fargo Bank, N.A. reached a similar conclusion. In this case, the plaintiffs' personal information was obtained due to a theft of computers that contained unencrypted customer information including names, addresses, Social Security numbers and account numbers. It again was undisputed that plaintiffs had expended time and money to monitor credit, but there was no indication that the information had been accessed or misused. The court rejected the plaintiffs' claim that they had suffered damage due to the time and money they had spent because the plaintiffs could only recover for loss of time in terms of earning capacity or wages. The court therefore rejected both the breach of contract and negligence claim in that case.
In the Hannaford case, the District Court found that the plaintiffs could not state damages based upon consequential losses, such as costs related to identity theft insurance, credit monitoring, overdraft fees, fess related to pre-authorized payment arrangements and loss of accumulated rewards points, and that the plaintiffs also could not rely upon allegations of emotional distress damages. The Court did find that to the extent the plaintiffs faced fraudulent charges that remain on their credit cards, those charges are actual damages regardless of the plaintiffs' ability to recover those charges from their bank.
This case is notable because while it dismisses the case based upon a lack of damages, it is the second recent case that permits an unfair trade practice claim based upon a data breach to survive, and it is the first that explicitly ties into the FTC's cases based upon its unfairness authority in the data-security realm.