Maine's Supreme Court To Decide If Consumers Should Be Compensated For Hannaford Security Breach

If a retailer doesn’t protect your credit card data and it gets stolen, should you be compensated? Not for any unauthorized charges, which are already covered under banks’ zero-liability protection, but for the time lost dealing with the problem, for the anxiety it causes, and for any future credit history/score issues it might cause?

Retailers have always been protected from having to pay those kinds of damages to customers who have had their data stolen, but now there’s a case going up before Maine’s state Supreme Court that asks whether that should change.

The retailer in question is Hannaford Supermarkets, an east coast grocery chain. A year and a half ago they reported that 4.2 million customer credit card records had been intercepted by crooks and sent overseas. Some of those customers sued Hannaford for damages.

The lawsuit came to a halt last May, when U.S. District Court Judge D. Brock Hornby ruled that Maine’s law “allows consumers to recover damages if the merchant’s negligence caused a direct loss to the consumer’s account,” and since customers were protected from direct loss due to zero-liability coverage by banks, Hannaford was off the hook.

The plaintiffs asked Judge Hornby to consider letting the state Supreme Court weigh in on the law, to determine whether it can be interpreted to also cover things like time lost dealing with the breach, or future dings on credit scores. He agreed, and wrote that the question that needs to be answered is, “Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

If the state Supreme Court decides they do constitute a “cognizable injury,” it would be a first for a retailer, and possibly open the way for other consumers to sue in civil court for damages that aren’t directly covered by zero-liability protection. That would in turn make it a lot harder for retailers to get off with a simple, “oops, sorry!” the next time they don’t adequately protect customer financial data.

“Retail Data Breach Liability Shield May Get Gutted” [StorefrontBacktalk via Wired Threat Level]
(Photo: Zach Klein)