James (Jim) R. McCullagh and Amelia M. Gerlicher of Perkins Cole recap the status and issues in a class action lawsuit against Hannaford Bros:
This is the latest opinion in the ongoing litigation arising out of a massive data breach suffered by Hannaford Bros. grocery stores. In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013).
The litigation arises out of a criminal attack on the payment card systems at the Hannaford Bros. grocery chain in late 2007 and 2008, which potentially affected over 4 million card numbers. The district court initially dismissed the action after the plaintiffs stipulated that none of the plaintiffs had incurred fraudulent charges that had not been reimbursed. The court certified a question to the Maine Supreme Judicial Court, which agreed that in the absence of physical harm, economic loss or identity theft, the time and effort spent to avoid or remediate reasonably foreseeable harm did not constitute cognizable injuries for which damages may be recovered under Maine law.[1]
On appeal, the U.S. Court of Appeals for the First Circuit reversed with regard to two of the claims, finding that the plaintiffs had alleged sufficient injury for their negligence and implied breach of contract claims because “fees for replacing cards and the cost of identity theft protection products were foreseeable costs to mitigate any harm arising from the data breach.”
Finding themselves back before the district court, plaintiffs moved to certify a class consisting of those “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” The court addressed each of the factors provided in Federal Rule of Civil Procedure 23 and ultimately denied certification based only on a finding that plaintiffs’ failure to provide expert testimony supporting its theory of classwide damages meant that common issues would not predominate with regard to damages. The plaintiffs moved for reconsideration on April 4, 2013, further clarifying their theory of damages and asking for 60 days to obtain and tender to the court appropriate expert evidence.[2] Because data breach class actions rarely get to this point, a summary of the court’s review of each element follows.
Read their recap and analysis on Perkins Cole.
Expert testimony, Hummm This is good for those that are breached, and well BAd for those that have been breached.
With this ruling, doesn’t it give a breached entity a bit of a cushion knowing that most classic Class Action lawsuits won’t ever go that far?
Will it allow the entities to lower their guard? Who the heck is an “expert” on what it will cost for an indivual to recover from a breach?
This opens up a Huge can of worms. Its the beginning of many questions. How do you absolutely prove that the breach at a particular entity is related to your loss? The only way to consider it without a shadow of a doubt, is if you only used the information and say payment information on that site, and only on that site. Otherwise a prior unreported, or database was recently used with a person’s PII on it and it was near perfect timing.
This is a train wreck, unless the government assign a personal six digit or more PIN to the end of the SSN, and the use of SSN’s are strictly forbidden to be used online or stored online, then this will NEVER be fixed.
Crooks are smart. They will milk the cow until it is dry. Right now this cow is Obese and full of…. something.