Share Print Page

Filter results:
Dates: to

Apply Filters




Federal judge will seek state’s highest court for opinion on whether consumers can seek restitution for inconvenience of changing credit and debit cards after data breach
October 29, 2009
Privacy Alert

Our latest alert addresses the most recent developments in the litigation surrounding the 2007-2008 data breach involving the Hannaford Brothers supermarket chain. Significantly, the federal district court handling the litigation has decided to reach out to Maine’s highest state court for clarification of Maine common law on the question of whether time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury. A decision by the Maine Supreme Judicial Court on the question could have an effect beyond the Hannaford case and Maine law.

Download PDF

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

A federal judge recently certified this question to the Maine Supreme Judicial Court (Maine’s highest court) so that it can provide its answer regarding the articulation of Maine law in the context of a data breech case involving thousands of consumers. This question opens the door to the possibility that consumers may recover for the inconvenience and hassle associated with stolen account numbers (i.e., changing payment cards and bank accounts) without any other injury. The decision Maine’s Supreme Judicial Court reaches could have a significant influence on how other courts handle this same issue.

By way of background, this same federal court ruled earlier this year that consumers cannot seek compensation for data breaches and thereafter dismissed essentially all of the civil data breach claims against Hannaford Brothers supermarket chain. In particular, U.S. District Court Judge D. Brock Hornby ruled that the victims whose bank card numbers were stolen in the 2007-2008 data breach of Hannaford Brothers were not entitled to sue if there was no actual and substantial loss of money or property.[1] Judge Hornby explained that the merchant is only liable for unreimbursed fraudulent charges against a consumer’s account. Judge Hornby also concluded that the hassles and losses of time that consumers suffered in dealing with the breach did not constitute actual financial losses. The court reasoned that “those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence.”

Plaintiffs moved for reconsideration and for certification of four separate questions to Maine’s highest state court. Defendant asked for the certification of a fifth question. Judge Hornby denied the request to certify all but one of the questions, granting plaintiffs’ motion with respect to the recoverability of damages at common law for time and effort lost in the effort to avert harm.

Judge Hornby noted that if the Maine Supreme Judicial Court finds that the plaintiffs suffered a cognizable harm, the plaintiffs will have both a negligence claim and an implied contract claim. If the court finds that the consumers have the right to sue for lost time and effort, the case will come back to life and plaintiffs will seek class certification. On the other hand, if the Maine court finds that there is no cognizable injury, that will likely end the case.

There is no Maine precedent on this issue. Most courts have typically dismissed consumer class-action lawsuits for data breaches involving the compromise of credit and debit card data because the card-issuing banks usually compensate the consumer for any loss. Courts have also typically rejected the notion that consumers should be compensated for damages that they could suffer in the future as a result of a data breach (i.e. poor credit score rating).

The Maine court will likely take several months to issue a decision. The outcome of this case could significantly affect how other courts handle data breach claims going forward. In light of the potential impact, it is possible that interested persons may move for leave to file amicus briefing with the Maine court.

  1. The data breach at Hannaford Brothers exposed 4.2 million credit and debit card numbers to fraud and led to 1,800 reported cases of fraudulent charges. See W. Scott O’Connell, Linn Foster Freedman, Andrew Cosgrove, and Sabrina E. Dunlap, “Class action in data breach case largely eviscerated,” May 26, 2009, at
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.