Maine SC sides with grocery store in security breach suit

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.legalnewsline.com/news/228896-maine-sc-sides-with-grocery-store-in-security-breach-suit

 BY JESSICA M. KARMASEK
AUGUSTA, Maine (Legal Newsline) - The Maine Supreme Court, in a unanimous
decision, has ruled that a group of consumers do not need to be compensated
for time and effort they put into cleaning up the damage caused by data
thieves.

In answering a pair of certified questions for a federal court, the state's
high court says time and effort alone do not constitute a cognizable injury
for which damages can be recovered under the state's negligence or implied
contract laws.

The case involves the final litigation surrounding a 2007 data breach
against Hannaford Bros. Co., a 165-store grocery chain. The breach exposed
more than 4 million payment cards to a cyberthief gang run by Albert
Gonzalez.

Between December 2007 and March 2008, the data thieves stole debit and
credit card numbers, expiration dates, security codes, PINs and other
information belonging to customers who had used the chain's electronic
payment processing services.

By late February 2008, Visa, Inc., had notified Hannaford of the breach. The
chain discovered the means of the thieves' access on March 8, 2008,
contained it, notified all financial institutions within two days, and
publicly disclosed the breach on March 17.

Due to the theft, a number of customers had experienced fraudulent and
unauthorized charges on their accounts. However, most were able to resolve
the charges with their banks.

In fact, in October 2008, when a group of 21 plaintiffs filed their
complaint in federal court, only one had outstanding fraudulent charges on
her account. The other plaintiffs had already been reimbursed by their
financial institutions.

According to their complaint, the plaintiffs alleged breach of implied
contract, breach of implied warranty, breach of a confidential relationship,
failure to advise customers of the data theft, strict liability, negligence,
and unfair trade practices. The plaintiffs sought damages to compensate them
for their time and efforts, which they say were necessary to remedy the
disruption of their financial affairs.

The federal judge overseeing the civil lawsuits against the grocery chain
had initially ruled that consumers suing Hannaford had to prove actual
financial damages that were material before he could allow that portion of
the case to continue.

Attorneys for those consumers argued that the losses in time and effort were
significant and that those efforts, coupled with what they contended was
Hannaford's negligence in protecting that payment card data, made a civil
ruling against the chain appropriate.

But the federal judge turned the consumers down, ruling that the losses were
"too remote, not reasonably foreseeable, and/or speculative" and that there
was "no way to value and recompense time and effort." He added that such
non-financial losses were merely "the ordinary frustrations and
inconveniences that everyone confronts in daily life with or without fraud
or negligence."

Following the judge's ruling, attorneys for the consumers asked him to
reconsider. The judge set aside his decision and asked the Maine Supreme
Judicial Court to rule on the matter.

The Court, in its opinion authored by Justice Joseph M. Jabar, unanimously
sided with the grocery chain.

It noted that the plaintiffs had suffered no physical harm, economic loss or
identity theft.

Jabar reaffirmed the federal judge's ruling, "The tort of negligence does
not compensate individuals for the typical annoyances or inconveniences that
are a part of everyday life."

The Court said its case law does not recognize the expenditure of time and
effort alone as a harm.

"Unless the plaintiffs' loss of time reflects a corresponding loss of
earnings or earning opportunities, it is not a cognizable injury under Maine
law of negligence," it wrote.

The Court made the same conclusion in regards to the alleged breach of
implied contract. The federal judge had already shot down the plaintiffs'
other five charges listed in their complaint.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.