Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Private Civil Lawsuits Arising From Data Breaches

Posted in Data Breach, Data Breach, Data Security

The U.S. Circuit Court of Appeals for the First Circuit recently weighed in on the causes of action and damages that are (and are not) cognizable in a data breach case.  In Anderson v. Hannaford Bros. Co., No 10-2384 (1st Cir. Oct. 20, 2011), the plaintiffs were customers of a grocery store chain.  The grocery store chain used an electronic payment processing system that was breached by hackers, allowing the hackers to steal up to 4.2 million credit and debit card numbers and identifying information of the stores’ customers.  Many of the plaintiffs had unauthorized charges against their credit/debit card accounts.  Several were charged replacement card fees by their banks to replace their credit/debit cards.  The customers sued the grocery store chain.

The plaintiffs’ lawsuit was based on several causes of action:  breach of implied contract, breach of implied warranty, breach of duty of a confidential relationship, failure to advise customers of the theft of their data, strict liability, negligence, and violation of Maine’s Unfair Trade Practices Act.  In its 35-page opinion, the First Circuit analyzed each of these causes of action and held that only the negligence and implied contract causes of action were viable.

The Plaintiffs sought various types of damages, including the cost of replacement cards, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, time and effort spent reversing unauthorized charges and protecting against further fraud, and costs incurred for purchasing identity theft/card protection insurance and credit monitoring services. The First Circuit held that only the plaintiffs’ claim for mitigation expenses (like the consumer’s purchase of credit reports or credit insurance) and card replacement costs consumers incurred were recoverable.

Civil lawsuits arising from data breaches are a new and developing area of the law, and this new opinion is important because it is among the first U.S. Circuit Court opinion to analyze the issues of the proper causes of action and recoverable damages, and to do so in depth.  The decision is also important because, as journalist Jaikumar Vijayan wrote in an article for Computerworld, the case is “a rare instance of a court siding with consumers in a data breach lawsuit.”  It is certainly worth a read for anyone interested in these issues, and it should be an exciting time for anyone who practices in this area because we are watching the law develop from the beginning.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.