Hannaford's Motion to Dismiss: Victory for Merchants...
... at least against consumer class action lawsuits. The United States District Court of Maine recently rendered its ruling on Hannaford's Motion to Dismiss the consumer class action lawsuits against it. Overall the decision is very favorable to merchants because it eliminates a large percentage of potential class plaintiffs. Significantly, however, this case does not settle the question of potential liability to issuing banks for reissuance costs (that matter is likely being settled behind the scenes pursuant to dispute resolution provisions in VISA and Mastercard operating regulations). This is the first of a three party series summarizing the Hannaford decision. The first post details the Court's ruling on the viability of various causes of action. The second post explains the courts holding concerning the issue of "cognizable harm". The last post outlines the means by which the issuing banks in this matter are likely to recover: VISA's Account Data Compromise Recovery process.
The Hannaford decision is best summed up by the court in one of the opening paragraphs:
Under Maine law as I understand it, when a merchant is negligent in handling a customer's electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer's account, the merchant is liable for that loss. In the circumstances of this case, there may also be liability under Maine's Unfair Trade Practices Act ("UTPA") for an unfair or deceptive trade practice. But if the merchant is not negligent, or if the negligence does not produce that completed direct financial loss and instead causes only collateral consequences--for example, the customer's fear that a fraudulent transaction might happen in the future, the consumer's expenditure of time and effort to protect the account, lost opportunities to earn reward points, or incidental expenses that the customer suffers in restoring theintegrity of the previous account relationships--then the merchant is not liable.
In coming to its decision, the Court first analyzed the viability of the claims made by the consumer plaintiffs. Significantly, the Court recognized three viable theories, including breach of implied contract, negligence and violation of Maine's Unfair Trade Practices Act. In the course of doing so, the Court solidified the idea that no legal duty exists to provide "perfect" security -- security obligations will be judged on a reasonableness standard instead.
The consumer plaintiffs alleged that, at the point where groceries were purchased using a credit card, an actual contract was created, and that contract included implied terms around payment card security. Under Maine law, only those implied terms that are "absolutely necessary to effectuate the contract" and "indispensable to effectuate the intention of the parties" shall be valid.
In this case, the court recognized three implied terms around consumer payment cards: (1) merchant will not use the card data for other peoples' purchases; (2) merchant will not sell or give the card data to others (except for processing card); and (3) merchant will take reasonable measures to protect the information (which might include industry standards). The Court held that the following were not implied contract terms: (1) any implied commitment against every intrusion under any circumstances whatsoever (e.g. no unqualified guaranty of confidentiality); and (2) any duty to notify consumers that the confidentially of cardholder data was compromised.
Breach of Implied Warranty The court rejected the plaintiff's claim that Hannaford breached an implied warranty with respect to protecting cardholder data. First, under the Uniform Commercial Code, implied warranties of fitness for a particular purpose only relate to the "good" sold (e.g. groceries) not the payment mechanism. Even if such a warranty existed with respect to the payment mechanism, the consumers in this case had no "particular purpose" since their use was no different than all other grocery purchasers. Last the court rejected plaintiff's attempt to analogize the provision of cardholder data to a "bailment."
Breach of a Duty of Confidential Relationship.
The plaintiffs alleged that a customer and merchant enter into a confidential relationship whenever a customer uses a payment card, and that this relationship creates a fiduciary duty on Hannaford to guaranty the sanctity of the cardholder data and provide full disclosure of the nature of a security breach as soon as it happens. The court disagreed. First, the relationship in this case was not one of "trust and confidence" as compared to other Maine cases involving family relationships, joint ventures, partnerships or lender/borrower relations where one party has taken advantage of the other. Second, there was no evidence that Hannaford abused the trust of the customers impacted by the breach. Such abuse generally concerns the superior party obtaining the other party's property unfairly. Failing to promptly report the breach to avoiding adverse effects to Hannaford's business and reputation and retaining customers did not amount to an "abuse of trust" under this theory. Last, the Court ruled that the plaintiffs failed to establish a disparity in the bargaining position between the parties (as required for this theory). Hannaford did not have a monopoly on the sale of groceries and did not require the use of debit or credit cards to purchase groceries.
Breach of a Duty to Advise Customers of the Theft of Their Data
The plaintiffs attempted to argue that a duty to provide notice of a breach existed in common law (in the absence of a breach notice statute -- apparently this case did not trigger the existing breach notice law because it did not involve personal information, only credit card data). Plaintiffs argued that the failure to warn consumers of the security breach amounted to a negligent misrepresentation by omission. However, under Maine law a duty to disclose only exists if there is a confidential relationship between the parties or if there was an active concealment of truth - neither of which existed in this case according to the Court. Moreover, in light of the legislature having passed a breach notice law in Maine, the Court was hesitant to create any new state standard from the bench.
The plaintiffs argued that public policy favored the imposition of strict liability on Hannaford because safeguarding the consumers' confidential data was solely in the control of Hannaford. Under a strict liability regime, defendants are held liable whether or not they exercised reasonable care. This essentially amounts to a guarantee of 100% security. The Court, however, reject this argument. Strict liability has been imposed only in particularized circumstances, typically involving extra-hazardous activities and wild animals. In addition the Maine legislature passed a statute imposing strict liability with respect to the sale of defective goods. The Court held that none of these circumstances existed and that such an expansion of law was an issue for the Maine legal system or legislature (not a federal judge).
First, the Court noted that Hannaford did not argue that it was exempt from the duty of care in this case, and therefore appeared to uphold the negligence claim. Rather Hannaford argued that the negligence claim was barred by the economic loss doctrine. In general this doctrine prevents tort recovery for purely economic loss incurred by parties to a contractual relationship unless there is also personal injury or property damage. However, the Court ruled that under Maine law, the economic loss doctrine is applied narrowly in cases involving defective products. Since this case did not involve defective products, the Court refused to apply the rule against the plaintiffs. Note, in other jurisdictions that allow the economic loss doctrine to be applied for service contracts, this decision may have been different (indeed in the TJX and BJ Wholesaler's cases, negiligence claims were knocked out based on the economic loss doctrine).
Maine's Unfair Trade Practices Act
Maine's Unfair Trade Practices Act ("UTPA") says that "unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful. Under Maine's law, a consumer that purchases goods or services and suffers any loss of money or property as a result of an unfair practice may sue for actual damages, restitution and equitable relief. In this case, the plaintiffs allege that Hannaford's failure to promptly disclose the data theft was unfair and deceptive under the UTPA. The Court in this case agreed with the plaintiffs. It held that if Hannaford had provided earlier notice of the security breach, consumers may have refrained from purchasing products from Hannaford using credit cards until the breach was contained (e.g. Hannaford discovered the breach in February 2008, but did not contain it until March 10, 2008). The Court noted that conduct may be deceptive even if the merchant operated in good faith and without intent to deceive. In addition, similar to the TJX Appellate case, the Court noted that the UTPA instructed courts to be guided by FTC interpretations under the FTC Act. The court ruled that the substantial body of FTC complaints charging companies with security deficiencies supported plaintiffs allegations and therefore allowed the UTPA claim to stand. Significantly, the Court did not consider a negligent misrepresentation claim (such as in TJX) with respect to the protection of cardholder data. This theory was raised in oral arguments and was not present in the Hannaford complaint.
Despite recognizing three viable causes of action, the Court's analysis was not complete. In part two, ISC analyzes the Court's decision concerning cognizable damages. The end result is that while the Court recognized a certain class of plaintiffs that can recover for payment card security breaches, that class is likely to be small. While this is good news on the consumer lawsuit front, please note that the issuing banks will be coming after Hannaford in this matter. So dodging this bullet may put Hannaford in the way of a larger bomb.