A federal judge on Tuesday dismissed nearly all of the civil claims filed against Hannaford Bros. for the supermarket giant’s alleged failure to protect and notify consumers during an electronic data breach in late 2007 and early 2008.
Judge D. Brock Hornby ruled that the only consumers who will be allowed to proceed with the lawsuit are those who were not reimbursed by their banks for the fraudulent charges on their accounts.
Consumers who were simply inconvenienced or claimed to have suffered distress because of the data breach have no legitimate claims in this case, Hornby said in a 39-page ruling filed Tuesday afternoon at U.S. District Court. Essentially, the ruling on Hannaford’s motion to dismiss makes it unlikely that any class-action lawsuit will move forward.
“There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent,” Hornby wrote.
“Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence. Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement.”
Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers from people shopping at Hannaford supermarkets. The Scarborough-based grocery chain operates more than 200 stores under various names in New England, New York and Florida.
More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.
Plaintiffs from several states filed lawsuits against Hannaford. They sought damages for the loss of time and money dealing with the theft of personal information, and they also wanted Hannaford held liable for not publicly disclosing the security breach until at least three weeks after company officials learned about the problem.
The lawsuits were consolidated last summer into one complaint, with 21 plaintiffs, at U.S. District Court in Portland. Attorneys for the 21 plaintiffs had hoped that the group would become representatives for a much larger class of plaintiffs, possibly numbering in the millions.
But Hornby’s ruling on Tuesday tossed out the complaints of all but one plaintiff, Pamela Lamotte of Colchester, Vt. She was the only Hannaford shopper named in the complaint who claims to have suffered fraudulent charges that were not reversed by her bank.
The rest of the plaintiffs claimed a range of other damages, from emotional distress to incidental personal expenses dealing with compromised accounts.
Lamotte will be allowed to proceed with her suit against Hannaford for alleged breach of contract, negligence and violation of Maine’s Unfair Trade Policies Act.
Peter Murray, the lead attorney for the plaintiffs, had lobbied Hornby to break new legal ground in the case, because he said it demonstrates the growing vulnerability of consumers to personal data and identity theft.
Murray, who could not be reached for comment Tuesday, has said merchants need to be held liable for data breaches, regardless of whether banks agree to compensate victims.
“Credit card numbers and debit card numbers are like keys in the electronic age,” Murray said during an April 1 hearing on the motion to dismiss. “These keys are taken, and the customer doesn’t even know they’ve been taken.”
In his ruling, Hornby said his job was to apply Maine law to the complaint, not to expand upon it.
“The plaintiffs ask me to conclude that this new area of electronic data theft is rife with risk and damage, calling for a new common law remedy,” Hornby wrote. “Such an expansion of Maine law is for the Maine Law Court or the Legislature, not for me as a federal judge.”