Hannaford's Motion to Dismiss: Victory for Merchants (Part 2)
As detailed in ISC's first post on the Hannaford case, I detailed the District Court's rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches. The net result of the Court's analysis was the existence of three possible theories of recovery for the consumer plaintiffs:
- Breach of implied contract
- Violation of Maine's Unfair Trade Practices Act ("UTPA")
While the partial recognition of these theories of liability might be viewed as a positive development for plaintiffs, based on the Court's analysis of the "cognizable harm" (e.g. damages) elements of each theory, this decision ends up being bad for plaintiffs (or better stated plaintiff law firms desiring to pursue class actions in the wake of a payment card security breach). This post explains the Court's rationale and indicates aspects that may present difficulties for Hannaford on appeal.
"Cognizable Harm" (a.k.a. "damages") While the Court did recognize three causes of action (e.g. implied contract, negligence and the UPTA claim), to recover under each claim the plaintiff must establish that it suffered an injury, either damages or injunctive relief. The plaintiffs had alleged various damage components, including:
(i) customers' "debit cards and credit cards were exposed and subjected to unauthorized charges;"
(ii) their "bank accounts were overdrawn and credit limits exceeded;"
iii) they "were deprived of the use of their cards and access to their funds;"
(iv) they "lost accumulated miles and points toward bonus awards and were unable to earn points during the interval their cards were inactivated;"
(v) those customers "who requested their cards be cancelled were required to pay fees to issuing banks for replacement cards;"
(vi) those customers "who had registered their cards with online sellers were required to cancel and change their registered numbers;"
(vii) their "preauthorized charge relationships were disrupted;"
(viii) they "expend[ed] time, energy and expense to address and resolve these financial disruptions and mitigate the consequences;"
(ix) they "suffered emotional distress;"
(x) their "credit and debit card information is at an increased risk of theft and unauthorized use;" and (xi) some customers "purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences." The Court ultimately rejected each of these damages components, except for a partial recognition of (i).
The Court's analysis was very interesting. It first started off by grouping the plaintiffs into various categories. The first category is those plaintiffs that did not have a fraudulent charge actually posted to their account, and only allegedly asuffered emotional distress that their accounts might be in peril. These plaintiffs could not recover under the Maine's Unfair Trade Practices Act because only loss of money or property is recoverable under that Act. In addition, under Maine law emotional distress is not recoverable under a breach of contract claim except in a few limited exceptions. Finally, while emotional distress is recoverable generally under Maine law, it is not recoverable with respect to negligent misrepresentation claims. Maine courts have held that the damages associated with negligent misrepresentation claims are essentially economic in nature and serve to protect economic interests, rather than emotional distress. The Court held that the same applied in this case. Moreover, in a rather conclusory fashion the court held that any preventative expense and time the plaintiffs say they spent "to resolve their emotional distress" are also not recoverable. There may be some problems with the Court's analysis on this count. First off, while the Court recognized that emotional distress was not recoverable for "negligent misrepresentation," it did not address the plaintiff's general "negligence" claim. In fact, the Court indicated that in general emotional distress damages are recoverable under Maine law in most tort actions. Since plaintiffs' negligence claim went beyond failure to notify (and also alleged for example negligent failure to safeguard the plaintiffs' credit card data). Secondly, rather than addressing the alleged preventative measures of each plaintiff (e.g. credit monitoring and identity theft insurance) as individual damage components, the Court characterized those items as "expenses and time that plaintiffs say they spent to resolve their emotional distress by protecting their accounts." By wrapping these items in with emotional distress, the Court was able to dismiss them as unrecoverable emotional distress damages. The mistake may be that these damage components stand on their own, and the Court should have considered them individually (other courts have indicated that such expenses are incurred in anticipation of future harm, and not cognizable harm. It is not clear why the Court did not engage in a similar analysis). The second category, made up of only one consumer, are those consumers with fraudulent charges that have not been reversed or reimbursed. Hannaford argued that this should not be recognized as a cognizable injury because under typical payment card agreements issuing banks agree to remove such charges. The Court rejected this argument indicating that a consumer's potential claim for recovery against issuing banks do not excuse Hannaford's negligence. In addition, such fraudulent charges also equate to a loss of money or property under the UTPA. The last plaintiff category is made of consumers with fraudulent charges that were reversed and are no longer outstanding. The Court indicated that these plaintiffs were complaining about various consequential expenses (see the following alleged damage components identified above: iii, iv., v., vi., vii., xi.). With respect to this category of plaintiff the court held that they were not entitled to any recovery. Under both contract and tort, the court reasoned, these damage elements were not "reasonably forseeable" under Maine law, and were therefore speculative and unrecoverable. This type of rationale is more or less in line with other cases refusing to recognize these damages as anything more than expenses incurred in anticipation of future harm. The court also commented on its rationale for some of the specific damage components. The Court described plaintiffs' time and effort to deal with fraudulent charges and to talk to bank representatives as "ordinary frustrations and inconveniences that everyone confronts in daily life." The court rejected identity theft insurance premiums as a cost component because there was no risk of identity theft from cardholder data that did not include personally identifying information. Fees to open new accounts were held to be unnecessary prophylactic measures when the banks indicated that new accounts were not required. Finally the court analyzed the plaintiffs' plea for injunctive relief. The plaintiffs had asked for Hannaford to identify for each plaintiff what private and confidential financial and personal information had been exposed to theft and to provide credit monitoring for each plaintiff. The court rejected this injunctive relief because all of the individuals had already canceled their cards and therefore had no need for an injunction.
At best, the Court's partial recognition of various causes of action represents a pyrrhic victory/defeat for the plaintiffs' bar. The Court managed to widdle down the potential class size to a small number: those individuals that actually remain responsible for the credit card fraud done using their card number. Considering that in most cases the issuing banks will waive such fraud and not hold the cardholder responsible, it is doubtful that many consumers will fall into this category. What this means practically speaking is that the plaintiffs' bar may have less financial incentive to pursue these cases. A fairly solid foundation of cases has arisen that dismissed consumer class actions based on the damages issue early in the litigation. Surprisingly there has not been a meaningful break through yet. While this case is likely to get appealed, each time another court agrees with the conventional wisdom it gets more difficult for that breakthrough to happen. Unless new laws are passed, consumers may not have a route to recovery after a payment card breach. In all, I am sure this is not the end of the story for the Hannaford case. ISC will stay on top of it.