Consumer suits against retailers for losses from data thefts face many hurdles to recovery. A recent illustration is the court’s dismissal of virtually all claims brought by customers of Hannaford, a supermarket chain based in Maine. In re Hannaford Bros. Co. Customer Data Security Breach Litigation, U.S. District Court, District of Maine, MDL Docket No. 2:08-MD-1954).
From December 2007 through March 2008, “wrongdoers” (apparently a less malevolent class of miscreant than the “evildoers” faced by President Bush) gained access to Hannaford’s information technology systems. The thieves stole some 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers and other customer information. They were able to use this information to rack up an undisclosed amount of charges on customer accounts. Hannaford apparently discovered the security breach, but delayed before warning its customer, who continued to use their credit and debit cards for some time before the breach was closed.
The customers sued in the U.S. District Court in Maine and sought certification as a class action. They brought claims for breach of implied contract, breach of implied warranty, breach of fiduciary duty, breach of a Maine statute requiring disclosure to customers of a data security breach, strict liability, negligence, and unfair trade practices.
District Court Judge Hornby first analyzed the plaintiffs’ ability to recover under each of these causes of action, rejecting all but the breach of implied contract, negligence and unfair trade practice theories. The Court found that under Maine law, a contract includes “all such implied provisions as are indispensible to effectuate the intention of the parties.” When a customer gives a merchant his debit or credit card information, the parties assume that “the merchant will not use the card data for other people’s purchase, will not sell or give data to others, and will take reasonable measures to protect the information.” This duty supported both the breach of implied contract and negligence claims against the merchant.
The court also found that Hannaford could be subject to suit under Maine’s unfair competition law. The Maine statute appears to rather broad (broader than the California UCL) because it permits a consumer who purchases goods or services and “suffers any loss of money or property” as a result of an unfair or deceptive act to sue for “actual damages, restitution” and equitable relief. Here, the plaintiffs claimed that Hannaford failed to disclose the data breach for several months, which caused customers who continued to use plastic at the store to suffer data losses. The court concluded that Hannaford’s inaction justified a UCL claim.