In a departure from most other courts, the United States Court of Appeals for the First Circuit has concluded that Maine law allows plaintiffs to recover certain damages arising from a data breach. Anderson v. Hannaford Bros. Co., — F.3d —-, 2011 WL 5007175 (1st Cir. Oct. 20, 2011). Hannaford’s holding regarding damages, as described in detail below, highlights the potential litigation risks associated with a data breach.
In Hannaford, the plaintiffs brought a class action complaint against Hannaford Brothers Company alleging several causes of actions arising from a data breach. Id. at *1. The data breach arose out of hackers accessing Hannaford’s credit and debit card processing system. Id. The hackers allegedly stole credit and debit card numbers of 4.2 million Hannaford customers, leading to over 1,800 cases of fraud. Id.
Reviewing the trial court’s decision partially granting and partially denying Hannaford’s motion to dismiss, the First Circuit concluded that the plaintiffs had stated two causes of action under Maine law – breach of implied contract and negligence – and could likewise properly claim certain damages under those causes of action. Id. at **1, 8. In analyzing the damage issue, the court focused on so-called “mitigation” damages. Id. at *8. The court first found under Maine law that “damages must be “reasonably foreseeable.” Id. The court then found that a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate” harm. Id. at *9. “To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.” Id.
In deciding the plaintiffs had taken reasonable steps to mitigate their potential damages, including paying card replacement fees and buying credit insurance, the court focused on the fact that the case involved a sophisticated hacking attack that allegedly lead to many fraud cases. Id. at **10-11. The court went to great lengths to distinguish data breach cases where no subsequent fraud had occurred or where there was no allegation that the data theft was anything other than incidental to the “theft of expensive computer equipment.” Id. Instead, the court found, in this case, some people had already allegedly been fraud victims. It was thus foreseeable “that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach” would take steps to mitigate her potential damages. Id. at *11.
Although Hannaford will likely encourage plaintiffs to file data breach lawsuits, Hannaford also underscores the difficulty plaintiffs will likely have certifying a class for such claims, particularly a nationwide class. In Hannaford, the First Circuit had to engage in extensive analysis of unsettled state law before concluding plaintiffs had properly alleged damages under a single state’s law. The task of deciding whether multiple states’ laws would allow for damages given the particular facts of a case will likely prevent plaintiffs from satisfying Rule 23(b)(3)’s predominance requirement. Under the predominance requirement, plaintiffs must show through extensive analysis that there are no material variations in state law. This will likely prove to be a hard – if not impossible – task where more than a few states’ laws are at issue.