In re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL Docket No. 2:08-MD-1954.

• Decision Date: 12 May 2009
• Docket Number: MDL Docket No. 2:08-MD-1954.
• Parties: In re HANNAFORD BROS. CO. CUSTOMER DATA SECURITY BREACH LITIGATION.
• Court: U.S. District Court — District of Maine

613 F.Supp.2d 108

In re HANNAFORD BROS. CO. CUSTOMER DATA SECURITY BREACH LITIGATION.

MDL Docket No. 2:08-MD-1954.

United States District Court, D. Maine.

May 12, 2009.

COPYRIGHT MATERIAL OMITTED

COPYRIGHT MATERIAL OMITTED

COPYRIGHT MATERIAL OMITTED

COPYRIGHT MATERIAL OMITTED

Peter L. Murray, Esq., Murray, Plumb & Murray, Lewis J. Saul, Lewis Saul & Associates, Portland, ME, for Plaintiffs.

Clifford Ruprecht, John K. Hatch, Gavin G. McCarthy, Pierce Atwood LLP, Portland, ME, Cynthia L. May, Peter W. Zinober, Greenberg Traurig LLP, Tampa, FL, Michael A. Oakes, Richard L. Wyatt, Jr., Akin Gump Strauss Hauer & Feld LLP, Washington, DC, for Defendants.

DECISION AND ORDER ON DEFENDANT HANNAFORD BROS. CO.'S MOTION TO DISMISS

D. BROCK HORNBY, District Judge.

A customer uses a credit card or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer then recover from the grocer any loss resulting from the third-party data theft? That is the question this case poses.

The consumer plaintiffs see electronic payment systems as a technological development that, in addition to convenience, has created great risk of fraud to consumers, "increas[ing] exponentially the risk that consumers will be victimized by fraudulent misuse of their account access information." According to them, "the financial chaos and disruption of personal affairs that will churn in the wake of a massive theft of confidential credit and debit card access information is readily foreseeable, indeed, almost inevitable." The plaintiffs say that "[t]he law must step in to protect persons impacted by the actions of others over whom they have no effective control. This is certainly the case with credit card customers versus merchants and financial institutions."¹

The defendant grocer, Hannaford Bros. Co. ("Hannaford"), on the other hand, sees a well-functioning financial payment system that depends upon complex contractual relationships among the participants. These participants are consumers, merchants, organizations that create the card brands, banks that issue the cards to the consumers, and banks that accept the card transactions presented to them by the merchants.² Hannaford points to consumer protections that law and contract already provide,³ and lists "numerous reasons why the institutional competencies of the judiciary are not well-suited to supplementing the protection given by legislation and private rule."⁴ Hannaford urges that "courts should not step in" and "may work mischief for all by altering the balance of interests set by agreement."⁵ Hannaford believes that any consumer recourse should lie only against the banks that issue the cards and post the transactions to the consumers' accounts, not against merchants like Hannaford.⁶

For those wanting a definitive answer to this question of who should bear the risk of data theft in electronic payment systems, my ruling will be unsatisfactory. In this case, the answer depends wholly on state law, and the state law is still undeveloped. My role as a federal judge is simply to apply state law, not extend it, retract it, or modify it through broad strokes so as to accommodate the complex financial arrangements and risks that the parties portray.⁷

My answer to the liability question between customer and grocer is this: Under Maine law as I understand it, when a merchant is negligent in handling a customer's electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer's account, the merchant is liable for that loss. In the circumstances of this case, there may also be liability under Maine's Unfair Trade Practices Act ("UTPA")⁸ for an unfair or deceptive trade practice.⁹ But if the merchant is not negligent, or if the negligence does not produce that completed direct financial loss and instead causes only collateral consequences—for example, the customer's fear that a fraudulent transaction might happen in the future, the consumer's expenditure of time and effort to protect the account, lost opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships—then the merchant is not liable.

I rule here on Hannaford's motion to dismiss the plaintiffs' consolidated complaint for failure to state a claim upon which relief may be granted. Fed.R.Civ.P. 12(b)(6). I heard oral argument April 1, 2009. For purposes of the motion, I must assume that all that the plaintiffs say in their consolidated complaint is true,¹⁰ because Hannaford's contention is that even if it all is true, the plaintiffs are entitled to no relief from or against Hannaford. Hannaford's motion is GRANTED IN PART AND DENIED IN PART.

FACTS

The plaintiffs have been customers at Hannaford, at Sweetbay supermarkets in Florida owned by Hannaford, and at independent stores where Hannaford provides electronic payment processing services.¹¹ "[I]n the course of making purchases at these stores, ... [they] made use of debit cards and credit cards issued by financial institutions to access their bank accounts or create credit relationships."¹² They say that Hannaford "provided electronic payment services," but failed "to maintain the security of private and confidential financial and personal information of ... credit and debit card customers" at supermarkets in Maine, Vermont, New Hampshire, New York, Massachusetts, and Florida.¹³

The plaintiffs say that, beginning December 7, 2007, third-party "wrongdoers obtained access to [Hannaford's] information technology systems and, until containment of this security breach on or about March 10, 2008, stole private and confidential debit card and credit card information, including up to an estimated 4.2 million debit card and credit card numbers, expiration dates, security codes, PIN numbers and other information belonging to [the] [p]laintiffs and other customers ... who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by [Hannaford]."¹⁴ The plaintiffs do not claim that wrongdoers acquired customer names from Hannaford.¹⁵ They say that credit card association Visa, Inc. notified Hannaford on February 27, 2008, that Hannaford's information technology system had been breached,¹⁶ and that Hannaford discovered the means of access on March 8, 2008,¹⁷ contained it and notified certain financial institutions on March 10, 2008,¹⁸ but made no public disclosure until March 17, 2008,¹⁹ and even then, made an inadequate disclosure.²⁰

"As a result of this breach of security," the plaintiffs claim that they incurred the following damages: (i) customers' "debit cards and credit cards were exposed and subjected to unauthorized charges;" (ii) their "bank accounts were overdrawn and credit limits exceeded;" (iii) they "were deprived of the use of their cards and access to their funds;" (iv) they "lost accumulated miles and points toward bonus awards and were unable to earn points during the interval their cards were inactivated;" (v) those customers "who requested their cards be cancelled were required to pay fees to issuing banks for replacement cards;" (vi) those customers "who had registered their cards with online sellers were required to cancel and change their registered numbers;" (vii) their "preauthorized charge relationships were disrupted;" (viii) they "expend[ed] time, energy and expense to address and resolve these financial disruptions and mitigate the consequences;" (ix) they "suffered emotional distress;" (x) their "credit and debit card information is at an increased risk of theft and unauthorized use;" and (xi) some customers "purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences."²¹

The plaintiffs have sued Hannaford for damages for those losses and for injunctive relief. In addition to damages, they want me to order Hannaford to provide credit monitoring to all affected customers and notify each of them "exactly what private and confidential financial and personal information of each Class member was exposed to theft and was, in fact, stolen."²²

ANALYSIS

(1) Jurisdiction

The plaintiffs want to bring this lawsuit as a class action. They assert federal jurisdiction under the Class Action Fairness Act of 2005 ("CAFA"), 28 U.S.C. § 1332(d). To satisfy that statute, they allege that at least one plaintiff has citizenship different from the defendant Hannaford that there are more than 100 class members, and that the amount in controversy exceeds $5 million.²³ Hannaford has not contested federal jurisdiction.

(2) Choice of Law

As a result of a Multi-District Litigation Judicial Panel Transfer Order, this lawsuit consists of cases from Florida, Maine, New Hampshire, Massachusetts, New York and Vermont.²⁴ It is an interesting question which state's or states' laws should apply to grocery transactions occurring in these six different states. (No party contends that federal law governs.) According to the Consolidated Complaint, Hannaford is incorporated and headquartered in Maine.²⁵ It provided the electronic payment processing services for all the transactions—those at its own named stores throughout Maine, New Hampshire, Massachusetts, New York and Vermont, those in Florida at its sister corporation Kash `N Karry (Sweetbay)'s stores, and those at certain independently owned stores in various states.²⁶ Upon reading the parties' legal memoranda, I had expected that I might have to differentiate among state laws according to where the transaction in question occurred; state laws vary significantly on some of the issues I discuss in this opinion. Moreover, both sides went to great lengths to reconcile various lower court decisions from a number of states.²⁷ But at oral argument the parties agreed that Maine law alone should control the outcome of the defendant's 12(b)(6) motion.²⁸ I therefore make my...