Ruling limits class actions in data breaches

At a time when data breaches affecting large numbers of consumers are becoming more common, and 45 states have enacted breach notification laws, a recent ruling from the U.S. District Court for the District of Maine might make it even more difficult for consumers to successfully bring claims against stores that fail to protect their personal data.

On May 12, the U.S. District Court for the District of Maine dismissed the majority of class action claims brought against Hannaford Brothers Co., a Maine-based grocery store chain, for breaches of consumers’ credit-card data at various locations of Hannaford stores throughout New England and Florida. In dismissing the majority of the claims, the court allowed a limited number of negligence-based claims to move forward, provided that plaintiffs could demonstrate actual damages.

In March of 2008, after knowing about the data breach for three weeks, Hannaford revealed that data on roughly 4.2 million credit and debit cards had been compromised by a hacker between December 2007 and March 2008. By June 2008, more than 20 class actions were filed in the U.S. District Court of Maine by plaintiffs seeking damages for time and money lost as a result of the data thefts, which resulted in the Judicial Panel on Multidistrict Litigation consolidating the actions into a single action last summer.

The court ultimately dismissed four of the plaintiffs’ claims based on Maine state law, saying that the plaintiffs had merely suffered ordinary inconveniences, which could not be recovered under Maine law. The dismissed claims included breach of implied warranty, breach of confidential relationship, failure to advise customers of the data breach and strict liability.

In allowing the plaintiffs to proceed with three claims, the court held that a jury could find a basis for liability if the claims of breach of implied contract, negligence and the Maine unfair trade practices statute could be supported by evidence.

On the breach of implied contract claim, the court stated that an implied contract based on the purchase of goods from Hannaford could include an implied term that Hannaford would “take reasonable measures” to safeguard the information used with credit-card purchases.

As for negligence, the court said a jury could find that Hannaford owed its customers a duty to protect and safeguard customers’ private credit-card information. A jury also could find violation of Maine’s consumer protection and unfair trade practices statute if Hannaford was negligent in its failure to protect consumer data, according to the court, which noted that these three claims could only move forward if the plaintiffs could demonstrate that they faced actual damages as a result of the data breach.

Vigilance required

In this case, all but one of the plaintiffs were unable to show damages necessary to support their claims of breach of implied contract, negligence or claims under the Maine unfair trade practices statute.

The court noted that emotional damages and incidental damages were not recoverable and held that fraudulent charges made on a credit card could be considered actual damages as long as the plaintiffs had remained liable for fraudulent charges.

Thus the court dismissed the plaintiffs’ claims if they had not been liable for fraudulent charges, or if they had been liable but ultimately were reimbursed or had the charges reversed by their credit-card companies. A single plaintiff survived dismissal, as she had not been reimbursed by her credit-card company for fraudulent charges and remained liable for the charges.

The Maine court’s decision provides a precedent for companies faced with data breaches to defend breach cases and to avoid liability if consumers are unable to demonstrate actual damages, including that they were held responsible for fraudulent charges, or the charges were not reimbursed or reversed.

Despite the claim of time and money lost as a result of personal data thefts, as well as the emotional damage caused by a breach of personal data, consumers must show more than inconvenience to be successful in a claim for data breaches caused by the negligent protection of the data.

While this is a welcome decision for the defense of class actions, companies will still face such actions for these types of claims, especially when damages can be more easily proven. Vigilance is still the best way to avoid these claims.

Scott O’Connell, deputy chair of the Litigation Department and Practice Group Leader, Class Actions & Aggregate Litigation is based in the Manchester office of Nixon Peabody LLP. He can be reached at