I posted something on this decision earlier today, but David Navetta has such a helpful analysis of the ruling that I wanted to mention it here. His commentary begins:
In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the “Court of Appeals”) held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. For some time, the InfoLawGroup has been carefully tracking data breach lawsuits that, for the most part, have been dismissed due to the plaintiffs’ inability to allege a cognizable harm/damages. In fact, we have been tracking the legal twists and turns of the Hannaford case with great interest (see e.g. here, here, here, here, here andhere). The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.
Read more on InformationLawGroup.