In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.
| Decision Date | 20 March 2013 |
| Docket Number | No. 2:08-MD-1954-DBH,2:08-MD-1954-DBH |
| Parties | IN RE HANNAFORD BROS. CO. CUSTOMER DATA SECURITY BREACH LITIGATION |
| Court | U.S. District Court — District of Maine |
Hannaford grocery stores suffered a massive technological intrusion at their retail points of sale during the period December 7, 2007 through March 10, 2008. Customers' debit and credit card data was stolen, and many lawsuits against Hannaford followed. After rulings by the Maine Supreme Judicial Court sitting as the Law Court and by the Court of Appeals for the First Circuit, the claims against Hannaford have been pared down to negligence and breach of implied contract, and the damages are limited to out-of-pocket expenditures customers made in reasonable attempts to mitigate against economic injury. Four named plaintiffs now have moved for certification of a Rule 23(b)(3) class to pursue claims for fees to obtain new cards; fees paid to expedite delivery of new cards; and fees paid for identity theft insurance and credit monitoring. The defendant Hannaford has objected. After oral argument on November 30, 2012, I find that the plaintiffs fail to meet the predominance requirement of Rule 23(b)(3) and DENY the motion for class certification.
The plaintiffs are grocery store customers of the defendant Hannaford.1 They claim that a third party criminally breached Hannaford's information technology systems at the retail point of sale and gained access to the customers' confidential financial and personal information during a 3-month period as a result of negligence and breach of implied contract on Hannaford's part. They filed class action lawsuits in this District and in other Districts. The Judicial Panel on Multidistrict Litigation transferred all the lawsuits here.
The plaintiffs then filed a consolidated complaint that alleged seven claims against Hannaford. Hannaford moved under Rule 12(b)(6) to dismiss all claims for failure to state a cause of action.
I dismissed four of the plaintiffs' seven claims for failure to state a claim. I allowed three to proceed, but only as to a plaintiff who, as a result of the intrusion, had incurred fraudulent charges and had not been reimbursed. Otherwise, I ruled that the plaintiffs had suffered no injury cognizable under Maine law. Thereafter, the plaintiffs stipulated that in fact that particular plaintiff had received reimbursement. I then dismissed the consolidated class action complaint in its entirety either for failure to state a claim or for lack of cognizable injury, but I delayed entry of judgment while I certified to the Maine Supreme Judicial Court sitting as the Law Court the question:
(1) In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/ or implied contract?2
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D. Me. 2009).
The Law Court answered no, agreeing with me that time and effort alone do not constitute a cognizable harm under Maine Law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 498 (Me. 2010). I then entered judgment in favor of Hannaford, dismissing all claims.
On appeal, the First Circuit upheld my dismissal of five claims. But on negligence and breach of implied contract—where I ruled that the plaintiffs had stated a claim, but had not alleged cognizable injury for which to obtain relief— the Circuit ruled that the plaintiffs had sufficiently alleged categories of damages that were not time and effort alone and that were reasonably foreseeable mitigation costs that constitute cognizable harm under Maine law. Those were the fees for replacing cards and the cost of data theft protection products. As a result, the First Circuit ruled, the plaintiffs could proceed on their negligence and breach of implied contract claims, and it vacated and remanded accordingly. Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011).
Upon remand, the plaintiffs filed this new motion for class certification under Rule 23(b)(3), recasting their proposed class in light of the law of the case. The proposed class now is:
All persons or entities anywhere in the United States who made purchases at stores owned or operated by Defendant or for which Defendant provided electronic payment processing services, during the period from December 7, 2007 through March 10, 2008, using debit or credit cards, and who made reasonable out of pocket expenditures in mitigation of the consequences to them of an electronic breach of Defendant's data security during this period consisting of 1) payment of fees to obtain prompt replacement of cancelled cards and 2) purchase of security products such as credit monitoring and identity theft insurance.
In other words, the proposed class now is limited to Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.
I proceed to assess whether the plaintiffs satisfy the Rule 23(a) and (b)(3) criteria:
A. Rule 23(a)
The proposed class consists of those customers who spent money to obtain prompt replacement of their cards and/or purchased credit monitoring and identity theft insurance. Is their number sufficient to satisfy the numerosity requirement?
The numerosity requirement is satisfied when "the class is so numerous that joinder of all members is impracticable." Fed. R. Civ. P. 23(a)(1). There is no strict numerical test; "[t]he numerosity requirement requires examination ofthe specific facts of each case and imposes no absolute limitations." Gen. Tel. Co. v. EEOC, 446 U.S. 318, 329-30 (1980). Although numbers alone are "not usually determinative," Andrews v. Bechtel Power Corp., 780 F.2d 124, 131 (1st Cir. 1985), the sheer number of potential litigants in a class can be the only factor needed to satisfy numerosity. In re Sonus Networks, Inc. Sec. Litig., 247 F.R.D. 244, 248 (D. Mass. 2007); Swack v. Credit Suisse First Boston, 230 F.R.D. 250, 258 (D. Mass. 2005); In re Relafen Antitrust Litig., 218 F.R.D. 337, 342 (D. Mass. 2003) (("forty individuals [are] generally found to establish numerosity"); 1 Herbert Newberg & Alba Conte, Newberg on Class Actions § 3.05, at 3-25 (3d ed. 1992) (). While the named plaintiffs need not plead or prove the exact number of class members, speculation is insufficient, and they must positively show the impracticability of joinder. 7A Charles Alan Wright & Arthur R. Miller, Mary Kay Kane, Federal Practice And Procedure § 1762 (3d Ed. 2001) ().
Here, the named plaintiffs rely on data from three representative card issuers that dealt with Hannaford customers, Discover, KeyBank and Bank of America. This data shows fees associated with card replacement, expedited replacement, and identity theft protection products during the year following the Hannaford data breach. The data from Bank of America shows that approximately 12,000 card holders whose data was "reportedly subject to asecurity breach at Hannaford" purchased identity theft protection in the year following the Hannaford data breach. Decl. of Lori Lamb ¶ 6 (ECF No. 161-4); Lamb Ex. A (ECF No. 141-5). The number of Bank of America cardholders who purchased identity theft protection doubled from December 2007 to January 2008 and then the number continued increasing until April 2009. In May 2009, the number of Bank of America cardholders who purchased new identity theft protection policies began to decline, but did not drop to prebreach numbers until November 2009. Lamb Ex. A (ECF No. 141-5). The data from Discover shows that approximately five thousand card holders whose Discover cards may have been compromised purchased identity theft protection products in the year following the Hannaford data breach. Murray Decl. (ECF No. 161-11); Murray Ex. B (ECF No. 161-13). The number of Discover cardholders who purchased new identity theft protection products increased after December 2007 and did not return to prebreach levels until July 2008. Murray Ex. B (ECF No. 161-13). The data from KeyBank shows that approximately 14,000 cardholders were charged replacement fees in the year following the Hannaford data breach.3 Decl. of David Sanderson (ECF No. 161-6); Sanderson Ex. A (ECF No. 161-7).
I conclude that this data satisfies the numerosity requirement, and that the numbers alone demonstrate impracticality of joinder. I recognize that correlation does not demonstrate causation, and that I cannot be confidentthat the Hannaford incident was the sole cause for all these expenses. But at this stage of class certification the challenge is to predict whether the class will be large. When assessing the size of the putative class, courts may "draw reasonable inferences from the facts presented to find the requisite numerosity." McCuin v. Secretary of Health and Human Services, 817 F.2d 161, 167 (1st Cir. 1987). Given the patterns shown here for these card issuers and the absence of alternative persuasive explanations for those patterns,4 I conclude that the number of Hannaford customers who incurred these fees as a result of the breach is sufficient to satisfy Rule 23(a)(1).
In opposing the numerosity finding, Hannaford points to In re Heartland Payment Sys., Inc. Customer Sec. Breach Litig., 851 F. Supp. 2d 1040, 1047 & n.2, 1050 (S.D. Tex. 2012). That was a case also involving a credit card data breach. There...
To continue reading
Request your trial