Between December 2007 and March 2008, hackers were able to steal over four million credit and debit card numbers of Hannaford customers. The customers sued Hannaford to recover costs incurred as a result of the data breach, including proactive steps they took to protect themselves against identity theft. The US District Court in Maine dismissed the plaintiff’s claims not directly related to direct financial loss suffered from the breach. The plantiffs appealed the court’s decision.
Overturning the lower court ruling, the US Court of Appeals for the First Circuit ruled that consumers could sue the grocery story chain to recover “mitigation damages” incurred in the aftermath of the data breach, such as replacement card costs and identity theft insurance.
“Plaintiffs' claims for identify theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse,” a three-judge appeals court panel said in its Oct. 20 ruling. “Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable,” the court ruled.
Commenting on the ruling, Theodore Kobus with Baker & Hostetler wrote that the appeals court “concluded that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable. The holding squarely fits into the ‘fear of harm’ theories that have been presented and rejected many times in the past.”
Kobus cautioned, however, that the court’s opinion should be read “carefully because the court distinguishes this case from others where there was no proof of misuse of the information stolen. In the Hannaford breach, the thieves were sophisticated, the information was targeted, and over 1,800 credit card and debit card accounts experienced fraudulent activity related to the breach. Indeed, the First Circuit rejected some of the damages claims, including loss of reward points or fees for pre-authorization changes, because those types of damages are not foreseeable.”