Consumer Claims Survive in First Circuit Data Breach Lawsuit

If you shop online, you’ve probably received an email from a retailer or your credit card company explaining that their system was hacked, and your personal information may have been accessed.

That warning is always followed by an attempt to reassure you that your credit card information is probably safe.

If you are overcome with the litigious spirit every time you read one of those infuriating messages - we have received three in the last year - the First Circuit Court of Appeals is willing to consider your data breach lawsuit based on Maine state law claims.

Too specific for you? Perhaps you can glean tidbits from last week's Anderson v. Hannaford Brothers opinion to apply in another venue under the First Circuit umbrella.

Hannaford is a national grocery chain whose electronic payment processing system was breached by hackers between December 7, 2007 and March 10, 2008. The hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes, but did not steal customer names.

On March 17, 2008, Hannaford announced that it had already received reports of approximately 1,800 cases of fraud resulting from the breach. Following Hannaford's announcement, some financial institutions immediately cancelled customers' cards and issued new cards, while others did not do so, telling the cardholders they wished to wait for evidence of unauthorized activity before taking action.

The plaintiffs, customers of the grocery chain, sued Hannaford alleging breach of implied contract, breach of implied warranty, breach of duty of a confidential relationship, failure to advise customers of the theft of their data, strict liability, negligence, and violation of the Maine Unfair Trade Practices Act (UTPA).

The district court dismissed four of the plaintiffs' claims - breach of warranty, breach of fiduciary duty, failure to notify, and strict liability - after concluding that the plaintiffs had not alleged facts stating a basis for these claims under Maine law. The district court allowed the implied contract, negligence, and UTPA claims to proceed.

Last week, the First Circuit Court of Appeals reversed the district court on the negligence and implied contract claims, ruling "that consumers who took proactive steps to protect themselves against fraud and identity theft in the wake of the breach may seek compensation for their expenses from Hannaford," reports ComputerWorld.

The case is significant because most consumer class action data breach lawsuits are dismissed.

Before you start drafting your own consumer protection petition, you should be aware that the First Circuit Court of Appeals will narrowly apply this ruling to out-of-pocket consumer costs associated with a data breach.

The good news? If you have prospective clients who wish to raise negligence and implied contract claims under Maine state law in a data breach lawsuit, you now have precedent to support your claim.

Related Resources:

• Anderson v. Hannaford Brothers Co. (FindLaw's CaseLaw)
• Sony Data Breach Lawsuits Piling Up (FindLaw's Injured)
• ABA Debuts Data Breach and Encryption Handbook (FindLaw's In House)
• Man Says NBC Stole Idea: Implied Contract v. Copyright Claim (FindLaw's Ninth Circuit blog)