In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the “Court of Appeals”) held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. For some time, the InfoLawGroup has been carefully tracking data breach lawsuits that, for the most part, have been dismissed due to the plaintiffs’ inability to allege a cognizable harm/damages. In fact, we have been tracking the legal twists and turns of the Hannaford case with great interest (see e.g. here, here, here, here, here and here). The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.
In terms of background, this matter involves a payment card data security breach perpetrated by hackers that resulted in the theft of 4.2 million credit and debit card numbers, expiration dates and security codes from the Hannaford Brothers grocery store chain. After being alerted of the breach by the credit card companies, Hannaford announced the breach and informed the public that 1,800 cases of fraud arose out of the theft of the cardholder data.
Twenty-six separate lawsuits were filed against Hannaford, and all were eventually consolidated in the Federal District Court of Maine (the “District Court”). After winding through various legal proceedings, including the Maine Supreme Judicial Court, the District Court eventually dismissed most of the plaintiff’s claims, except for the single plaintiff that was actually required to be responsible for $50 of fraudulent charges (the maximum for credit card fraud under U.S. law).
Plaintiffs alleged several causes of action, but this post will focus on the issue of whether damages were properly alleged for purposes of the plaintiffs’ negligence and implied contract claims as to certain categories of alleged damages.
As is to be expected when twenty-six lawsuits are filed in a relatively novel area of law, the plaintiffs’ alleged several different damage elements resulting from the data breach, including:
- unreimbursed fraud charges;
- overdraft fees;
- loss of accumulated reward points;
- loss of opportunities to earn reward points;
- the time and effort consumers spent to protect against losses;
- the fees charged by issuing banks to customers who requested that their credit card be replaced; and
- the cost for identity theft insurance/credit monitoring.
The Court of Appeals agreed with the District Court and affirmed the dismissal of plaintiffs’ negligence and implied contract claims alleging the damage elements set forth in 1. through 5. above. The Court, however, reversed the District Court’s dismissal of the damage elements set forth in 6. and 7. above (“Mitigation Costs”).
The Court of Appeals looked at Maine negligence law in rendering its decision, which requires damages to be both reasonably foreseeable and not barred for policy reasons. In addition, for nonphysical harm, Maine courts take policy considerations into account such as “societal expectations regarding behavior and individual responsibility in allocating risks and costs.” The Court of Appeals also indicated that Maine courts had previously allowed plaintiffs to recover for costs and harms incurred during a reasonable effort to mitigate harm. It specifically cited the Restatement (Second) of Torts section 919(1), which provides in relevant part:
[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened
The Court of Appeals noted that to recover mitigation damages, plaintiffs need to show that their mitigation efforts were reasonable and that those efforts constitute a legal injury, such as actual money loss (rather than time or effort expended). In order to judge whether a mitigation decision was reasonable, Maine courts consider reasonableness at the time the decision was made (not using 20/20 hindsight). According to the Court’s interpretation of Maine law, mitigation damages are available even when it is not certain at the time that the costs are needed, when mitigation costs are sought but other damages are unavailable, and when mitigation costs exceed the amount of actual damages. In support of its decision, the Court of Appeals cited and summarized several cases from multiple jurisdictions, many of which involved structural damages or defective construction.
The Court of Appeals considered whether the Mitigation Costs alleged by the Hannaford plaintiffs were reasonable. It first noted that the Hannaford breach involved a large scale and sophisticated criminal operation. Moreover, there was actual widespread misuse of credit cards and fraud committed using the cards (as announced by Hannaford itself). In the Court of Appeal’s view, the plaintiffs were “not merely exposed to a hypothetical risk, but to a real risk of misuse.” Moreover, the Court noted that there was no way for plaintiffs to predict whose accounts would be used for fraudulent purposes. As such, in the Court’s view it reasonably appeared that all Hannaford customers that used credit cards during the relevant time frame of the breach were at risk of unauthorized charges.
Looking at plaintiffs who had to pay fees to have their cards reissued (apparently not all banks reissued cards), the Court indicated that the immediate reissuance of cards by many banks was evidence of reasonable mitigation. As such, plaintiffs who were required to pay such fees properly alleged damages.
The Court also indicated that it was reasonable mitigation for a plaintiff to purchase identity theft insurance after she experienced unauthorized charges to her account. The Court of Appeals contrasted decisions in other jurisdictions that rejected credit monitoring costs as a cognizable damage element. In those cases, unlike Hannaford, the plaintiffs failed to allege that any of the similarly situated plaintiffs had been the victim of identity theft or other harm. In this case, the plaintiff who purchased identity theft insurance actually had unauthorized charges on her card, and there were at least 1800 instances of fraud reported by Hannaford when it announced the breach. Therefore, the plaintiffs alleging this damage element satisfied their pleading requirements.
As mentioned above, this case could significantly impact the liability risk associated with data breach lawsuits. Some observations below:
- Early Stages. Readers must be reminded that even if the negligence and implied contract claims are allowed to proceed, we are only at the pleading stage. It may be possible for Hannaford to win on a motion for summary judgment, the issue of class certification and at trial
- Class Certification Difficulties. Even if certain individual plaintiffs are able to allege negligence and implied contract claims, they may not be able to certify a class action if there is not sufficient commonality between the class members. Class certification is the wild card at this point. It is one thing to have a handful of plaintiffs individually suing for relatively small amounts, and quite another to have a large class doing the same.
- Misapplied Theory of Mitigation Damages? The mitigation damages theory seems weak in one key area: most of the cases cited by the Court of Appeals involved situations where some physical harm or a harmful property defect had already occurred, and the mitigation efforts related to cutting off the harm arising from such harm or defect. In contrast, for data breach situations we do not have physical harm or harmful property defects; many would argue that the mitigation is an attempt to cut off future harm (and that is what other courts have held), and should not be construed as cognizable
- U.S. Supreme Court. While there may be differences between various decisions that may preclude a conflict, it now appears that we have a split between U.S. Courts of Appeal. On one side we have the 7th and 9th Circuits throwing data breach lawsuits out due to lack of cognizable harm. On the other we have the 1st Circuit going the opposite direction for some damage elements. Will the U.S. Supreme Court have to weigh in to resolve the split?
- Create Your Own Class. If purchasing identity theft insurance or credit monitoring equals cognizable harm, will plaintiff lawyers direct their clients to purchase such services (in part so that they can recover from the breached organizations?
- Offering Credit Monitoring Services and Identity Theft Insurance. It is not unusual for breached organizations to offer credit monitoring and/or identity theft insurance to individuals impacted by a breach (often for customer relations purposes). However, as we have predicted in the past, will offering such services effectively cut off lawsuits? Plaintiffs may not be in a position to allege out-of-pocket costs if those services were offered for free by the breached organization. Considering that the redemption rate for such services is relatively low (in our experience typically less than 20%), offering the services might save a breached entity on the litigation end of the equation. Even so, plaintiffs’ lawyers might simply move the goalposts, and even if one year of such services is offered, they may allege that two years is required/reasonable.
- Other Mitigation Damages? What other costs might constitute recoverable mitigation damages? The threshold is reasonableness, and it does not necessarily appear that the plaintiff needs to be aware of actual harm or misuse of personal information (although it helps the reasonableness argument if they are). We have had regulators ask our clients to offer to pay for fraud alerts after a data breach – might the cost of a fraud alert also equal a recoverable mitigation damage element? There are probably other similar costs that creative plaintiff lawyers will come up with.
We will have to wait to see what the ultimate impact of this decision is. However, with cases like this and other favorable decisions for plaintiffs concerning the issue of damages arising out of a data breach, we could be witnessing the beginning of a shift in the legal liability environment. At this point, since it may be the case that these data breach lawsuits have more litigation legs, organizations concerned about liability should consider focusing more on whether their security is reasonable and legally defensible.