"Damages" Last Stand - Maine Supreme Court Puts an End to the Hannaford Bros. Breach Suit
We have been following the twists and turns of the Hannaford Bros. security breach litigation from the beginning (see here, here, here, here and here). As of yesterday, it looks like the consumer plaintiffs’ case has suffered the “true death” (my friends and colleagues that watch HBO’s “True Blood” will know what I am talking about) The Maine Supreme Court has rendered its opinion on the “damages” issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that “time and effort” alone spent to avoid or remediate reasonably foreseeable harm do not constitute “a cognizable injury for which damages may be recovered.” In this blogpost we take a closer look at the Court’s rationale.
This lawsuit arose of out of a data security breach that occurred between December 2007 and March 2008 that exposed up to 4.2 million payment cards of Hannaford customers. As you may recall this case was brought before the Maine Supreme Court after the U.S. District Court of Maine certified two questions of state law to the Maine Supreme Court. At the end of the day, however, the Supreme Court only considered the following question:
“In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?”
Ultimately the court answered this question in the negative.
The Court’s Rationale
The Supreme Court focused its decision on two particular classes of Hannaford plaintiffs: those that had never experienced a fraudulent charge on their payment card, and those that experienced a fraudulent charge that was reversed by their bank (and they were not responsible for any of the charge). The Court’s focus was the time and effort allegedly expended by these plaintiffs to protect themselves against fraud and identity theft.
In its holding the Supreme Court characterized time and effort in this context as “typical annoyances or inconveniences that are a part of everyday life.” It also proclaimed that an individual’s time alone is not protected by tort law, and that loss of time is a cognizable harm only if its related to loss of earning capacity or wages. In addition, loss of time might also be a cognizable harm if it could be assigned a value reflecting from loss of earning opportunities resulting from personal injury or property damage.
Significantly, the Supreme Court did recognize that loss of time without a corresponding personal or property damage is compensable for certain torts, including: nuisance; false imprisonment and abuse of process. The Court unfortunately, did not explain why loss of time is a proper damage element for these torts, but not for a negligence or breach of contract claim.
It also recognized that under the doctrine of mitigation of damages, plaintiffs may recover for costs and harms incurred during a reasonable effort to mitigate harm. Nonetheless, if such mitigation only amounts to an inconvenience or annoyance, the Court held it did not amount to a legal injury.
In addition, the court analyzed cases put forth by the plaintiffs that appeared to allow recovery for loss of time (some of which date back to the 1800s). The court distinguished those cases because many of them involved at least one intentional tort. The court indicated that “because liability is often more extensive in cases of intentional torts than those in negligence, intentional tort cases recognizing recovery for time and effort have little bearing on our analysis.” It also discounted other cases finding time of loss harm because those cases failed to demonstrate how those damages were being measured.
The final decision of the Maine Supreme Court in this case was not surprising in light of the multitude of caselaw rejecting the existence of legally cognizable harm in the security breach context. However, the caselaw used by the plaintiffs and the court’s reasoning in rejecting those cases was interesting.
In essence the court used a contextual argument to reject loss of time as a harm element in the data breach context. For some types of torts loss of time is a recognized damage, but for reasons that the Court did not fully explain, such loss of time in the negligent security breach context only amounted to “typical annoyances or inconveniences that are a part of everyday life.” It is unclear, for example, why being falsely imprisoned for several hours in the back of a store (e.g. wrongly accused of shoplifting) constitutes damages, but taking several hours to engage in credit monitoring, calling various banks and otherwise dealing with a data security breach does not constitute damages. Same holds true for intentional torts where loss of time was recognized as damages. The question is how does (or why does) the nature of the tort change the nature of the damages element (in this case loss of harm)? It seems from a consistency standpoint, one could argue that harm is harm is harm regardless of how that harm was made to occur. It would have been nice to see the Court flesh this holding out more.
The Court also fumbled to some degree when it appeared to require some ability to measure the loss of time damages against earning capacity or wages. If loss of wages due to loss of time is a cognizable injury, this would seem to open the door to plaintiffs alleging that they were required to take time off of work or use a vacation day to deal with a payment card security breach. However, in cases where earning capacity is referenced, there is typically a corresponding personal injury that undermined that capacity. In other words, the cognizable harm is the personal injury and the loss of earning capacity is a method for measuring that harm. Without the personal injury, there would not appear to be a cognizable harm. While the reasoning was ultimately correct, the court should have been more careful when it described loss of time has a cognizable harm in and of itself in the personal injury context.
Regardless of the potential flaws in this decision, we are talking about one of the highest courts in the land, and this decision adds another significant court to those that fail to recognize damages in a data breach lawsuit. At this point, it is unclear whether the plaintiffs’ bar will ever achieve a victory on this issue.