Anderson v. Hannaford Bros. Co.

• Citation: 659 F.3d 151
• Decision Date: 20 October 2011
• Docket Number: 10–2450.,Nos. 10–2384,s. 10–2384
• Parties: John ANDERSON, Jessica Choate, Michael Cyr, Elizabeth Dowd, Steve Earley, Cyndi Fear, Thomas Fear, Mark Follansbee, Carlton Greely, Robert Hanson, Bruce Hatch, Pauline Hatch, John Hutchings, Nancy Hutchings, Robert Jenkins, Pamela LaMotte, Pamela Merrill, Jeanne Smith, Eileen Turcotte, Lori Valburn and Pamela Williams, Plaintiffs, Appellants/Cross–Appellees,v.HANNAFORD BROTHERS CO., Defendant, Appellee/Cross–Appellant,Delhaize America Inc., and Kash N' Karry Food Stores Inc., Defendants, Appellees.
• Court: United States Courts of Appeals. United States Court of Appeals (1st Circuit)

659 F.3d 151

John ANDERSON, Jessica Choate, Michael Cyr, Elizabeth Dowd, Steve Earley, Cyndi Fear, Thomas Fear, Mark Follansbee, Carlton Greely, Robert Hanson, Bruce Hatch, Pauline Hatch, John Hutchings, Nancy Hutchings, Robert Jenkins, Pamela LaMotte, Pamela Merrill, Jeanne Smith, Eileen Turcotte, Lori Valburn and Pamela Williams, Plaintiffs, Appellants/Cross–Appellees,

v.HANNAFORD BROTHERS CO., Defendant, Appellee/Cross–Appellant,Delhaize America Inc., and Kash N' Karry Food Stores Inc., Defendants, Appellees.

Nos. 10–2384

10–2450.

United States Court of Appeals, First Circuit.

Heard Sept. 8, 2011.Decided Oct. 20, 2011.

Peter L. Murray, with whom Thomas C. Newman, Nicole L. Bradick, Murray, Plumb & Murray, Lewis Saul, and Lewis Saul Associates were on brief, for appellants/cross-appellees.Clifford H. Ruprecht, with whom William J. Kayatta, Jr., Catherine R. Connors, Joshua D. Dunlap, and Pierce Atwood LLP were on brief, for appellees/cross-appellant.Before LYNCH, Chief Judge, TORRUELLA and THOMPSON, Circuit Judges.LYNCH, Chief Judge.

Plaintiffs appeal from the dismissal of their Maine state law claims arising out of the unauthorized use of their credit and debit card data after hackers breached the electronic payment processing system of defendant Hannaford Brothers Co., where plaintiffs had shopped for groceries and used those cards.

The district court determined that plaintiffs failed to state a claim under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach. Although the district court concluded that the plaintiffs adequately alleged breach of implied contract, negligence, and violation of the unfair practices portion of the Maine Unfair Trade Practices Act (UTPA), the district court dismissed those claims because it determined the plaintiffs' alleged injuries were too unforeseeable and speculative to be cognizable under Maine law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F.Supp.2d 108 (D.Me.2009).

We affirm in part and reverse in part. We affirm the district court's dismissal of all claims other than the plaintiffs' negligence and implied contract claims. We reverse the district court's dismissal of the plaintiffs' negligence and implied contract claims as to certain categories of alleged damages because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law.

I.

The facts as alleged by plaintiffs in their consolidated putative class action complaint are as follows.

Hannaford is a national grocery chain whose electronic payment processing system was breached by hackers as early as December 7, 2007.¹ The hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes, but did not steal customer names. On February 27, 2008, Visa Inc. notified Hannaford that Hannaford's system had been breached. Hannaford discovered the means of access on March 8, 2008, and contained the breach on March 10, 2008. Hannaford gave notice to certain financial institutions on March 10, 2008. On March 17, 2008, “Hannaford publicly announced for the first time that between December 7, 2007 and March 10, 2008, the security of its information technology systems had been breached, leading to the theft of as many as 4.2 million debit card and credit card numbers belonging to individuals who had made purchases at more than 270 of its stores.” It also announced “that it had already received reports of approximately 1,800 cases of fraud resulting from the theft of those numbers.” The unauthorized charges originated in locations across the globe, including New York, Spain, and France.

Following Hannaford's announcement, some financial institutions immediately cancelled customers' debit and credit cards and issued new cards, while others did not do so, telling the cardholder they wished to wait for evidence of unauthorized activity before taking action. Further, as alleged in the complaint, “financial institutions who did not immediately cancel customers' cards monitored customer accounts for unusual activity and cancelled cards immediately upon being aware of apparent fraudulent charges or attempts to make apparently fraudulent charges, in many cases, without the knowledge of the customer.” Additional “customers suffered unauthorized charges to their debit card and credit card accounts.” Moreover, “customers who requested that their cards be cancelled were required to pay fees to issuing banks for replacement cards” and “customers purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.”

The Judicial Panel on Multidistrict Litigation consolidated twenty-six separate suits against Hannaford arising out of the breach into one lawsuit in the District of Maine. The consolidated complaint alleged that at least fourteen of the named plaintiffs actually had unauthorized charges charged against their accounts. Seventeen of the named plaintiffs had their cards cancelled by the bank, and two named plaintiffs requested that their issuers give them replacement cards.

The plaintiffs alleged seven causes of action: (1) breach of implied contract; (2) breach of implied warranty; (3) breach of duty of a confidential relationship; (4) failure to advise customers of the theft of their data; (5) strict liability; (6) negligence; and (7) violation of the Maine UTPA. Plaintiffs sought damages as well as injunctive relief in the form of credit monitoring and notification of precisely what information was stolen. Hannaford moved to dismiss all claims, and the parties agreed that Maine law would govern the dispute.

Plaintiffs allege that Hannaford customers, including the plaintiffs, experienced more than the 1,800 unauthorized charges to their accounts which were known to Hannaford when it made its announcement on March 17. Plaintiffs also plead that they experienced several categories of losses said to be compensable damages for those plaintiffs who incurred them, including the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. In addition, they claim damages for the purchase of identity theft/card protection insurance and credit monitoring services.

In a carefully reasoned opinion, the district court granted Hannaford's motion to dismiss as to twenty of the twenty-one named plaintiffs.² In re Hannaford, 613 F.Supp.2d 108 (D.Me.2009). The district court dismissed four of the plaintiffs' seven claims—breach of warranty, breach of fiduciary duty, failure to notify, and strict liability—after concluding that the plaintiffs had not alleged facts stating a basis for these claims under Maine law. The district court allowed the implied contract, negligence, and UTPA claims to proceed.

For these three surviving claims, the district court concluded that dismissal depended on whether the plaintiffs' alleged injuries as pled were cognizable under Maine law. Id. at 131. To make this determination, the district court divided the plaintiffs into three categories. Id. at 131–35. The district court determined that the first category, composed of plaintiffs who did not have fraudulent charges posted to their accounts, could not recover because their claims for emotional distress are not cognizable under Maine law. Id. at 131–33. The district court concluded that the second category, composed of the single plaintiff whose fraudulent charges had not been reimbursed, could recover for her actual financial losses. Id. at 133.

As to the third category, composed of plaintiffs whose fraudulent charges had been reimbursed, the district court determined that their alleged consequential losses were “too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a ‘substantial injury’).” Id. at 134. In particular, the district court explained, the claimed overdraft fees, loss of accumulated reward points, and loss of opportunities to earn reward points were not foreseeable at the time of sale. Id. at 134–35. Further, the district court determined that there was no way to value or compensate the time and effort that consumers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen. Id. As a result, the district court determined that this third category of plaintiffs could not recover.

Finally, the district court denied the plaintiffs' requested injunctive relief because the named plaintiffs had already cancelled their compromised cards. Id. at 135.

After the district court ruling, the plaintiffs moved to certify several questions ³ to the Maine Supreme Judicial Court (the “Law Court”). The district court certified two questions:

(1) In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?

(2) If the answer to question # 1 is yes under a negligence claim and no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purely economic harm absent personal injury, physical harm to property, or misrepresentation?

In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D.Me.2009). The Law Court accepted the certification and answered the first question in the negative,...