October 30, 2009
Maine High Court To Decide Whether Class In Data Breach Action Can Recover For Lost Time And Inconvenience
As anyone who has ever misplaced a credit card knows, consumers who learn that their credit or debit card data has been stolen endure a significant amount of inconvenience. The existing account must be canceled. A new account may need to be opened. The consumer may be without a credit or debit card while awaiting delivery of a new card. Automatic payments must be transferred from the cancelled card to the new card. The consumer ends up devoting a considerable amount of time to undoing the disarray caused by the theft of the consumer’s credit or debit card data.
Can consumers recover against retailers for that lost time and effort when a breach of the retailer’s computer systems results in disclosure of their credit and debit card data? The Maine Supreme Judicial Court is being asked to address that question by Judge Brock Hornby, the federal judge in the Hannaford Brothers data breach litigation. That consolidated class action has been brought on behalf of Hannaford customers whose credit and debit card data was compromised in a breach of the computer systems of the Maine-based grocery store chain. Defendants sought and obtained dismissal of claims asserted by named plaintiffs whose data had been stolen but who had not suffered any out-of-pocket losses as a result of the data breach. Such plaintiffs’ lack of out-of-pocket damages, Judge Hornby concluded, was fatal to their claims for breach of contract and violation of Maine’s consumer protection statute.
Plaintiffs asked Judge Hornby to reconsider his ruling, arguing that the question of whether lost time and effort is legally cognizable injury under Maine law had not been addressed by the Supreme Judicial Court, Maine’s highest court, and that authority from other jurisdictions supports such claims. Defendants cited conflicting authority from other states holding such injuries to be insufficient as a matter of law. Judge Hornby agreed with plaintiffs that the issue remained undecided under Maine law but found that there was a split in the other jurisdictions that addressed the issue. Accordingly, he certified the question of whether lost time and injury constitute legally sufficient injury to the Maine Supreme Judicial Court. Should that court rule that such injury is cognizable under Maine law, Judge Hornby would then decide whether or not his original dismissal should stand.
The issue that Maine’s high court is being asked to resolve has plagued would-be plaintiffs in consumer data breach class actions. It is very difficult to prove out-of-pocket damages for the majority of class members in a data breach class action. While a debit card holder whose bank account was accessed by a hacker could probably prove such a loss, credit card holders typically are not required to pay for fraudulent charges against their accounts and could not show any out-of-pocket losses from a data breach. The same would be true for cardholders whose accounts were cancelled in the wake of a data breach before fraudulent charges could be made. These considerations make it difficult to assert data breach claims on behalf of classes consisting of all consumers whose credit or debit card data was included in a compromised retail database. For most consumers, the inconvenience of having to rearrange their accounts is the only injury that results from a data breach. Thus, the number and scope of data breach class actions would be likely to be substantially curtailed absent judicial endorsement of such inconvenience as legally-cognizable injury.
A win on this issue, however, would not eliminate all of the obstacles facing a consumer data breach class. Proof of the existence and extent of such injury would raise highly individualized issues of fact that would imperil certification of a plaintiff class. Under Rule 23 of the federal rules of civil procedure, a plaintiff class seeking money damages cannot be certified unless issues of fact and law common to the class as a whole predominate over issues relevant to individual class members. Ordinarily, individual issues as to the amount of damages do not preclude class certification, but the need to engage in customer-by-customer inquiries to determine whether class members have suffered any injury can preclude class certification. Likewise, unlike claims such as securities fraud in which individual damages could be calculated on a mechanistic share-by-share basis, figuring out how much to award in damages based on a particular plaintiff’s circumstances in a data breach case would bog down into unmanageable individual mini-trials. Should the person who simply cancels a credit card recover as much as someone who needs to open a new account? Is the person who also has to transfer payment of her newspaper subscription entitled to recover as much as the person who has two or three automatic payments to transfer? And how are these differences valued? The numerous types of inconveniences that class members could conceivably suffer, and the almost infinite combinations in which they might be presented, make it impossible to address the existence and amount of such damages without engaging in plaintiff-by-plaintiff inquiries. Given these considerations, defendants would have strong arguments to resist class certification even if the Maine Supreme Judicial Court rules in plaintiffs’ favor on this issue.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
This communication may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. to its clients and friends; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.
list is maintained at Mintz Levin’s main office, located at One Financial
Center, Boston, Massachusetts 02111. If you no longer wish to receive electronic
mailings from the firm, please visit http://
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Kevin M. McGinty
Michael S. Gardener
Laurence A. Schoen
Cynthia Larose, CIPP
Bruce D. Sokler
Dianne J. Bourque
Robert G. Kidwell
Haydon A. Keitner
Meredith M. Leary
Julia M. Siripurapu