Breach, Data Security

Court says Hannaford breach lawsuit doesn’t meet standards of class-action

A Maine judge has denied class-action certification to plaintiffs affected by the 2008 breach of the Hannaford Bros. grocery chain.

U.S. District Court judge D. Brock Hornby ruled that the plaintiffs failed to prove how much in out-of-pocket expenses they spent to protect themselves from fraud as a result of the breach. This is the lone remaining lawsuit filed against Hannaford over the breach, in which hackers stole 4.2 million debit and credit card card numbers from the Scarborough, Maine-based company's computer systems, resulting in at least 1,800 incidences of fraud. 

According to documents, Hornby said that the plaintiffs' failure to have an expert verify their damages was a “fatal” flaw in their arguments for class-action certification, which would have allowed members to collectively bring a claim against a defendant and possibly reap a bigger reward.

“I conclude that their lack of an expert opinion on their ability to prove total damages to the jury is fatal,” Hornby wrote. “Without an expert, they cannot prove total damages, and the alternative (which even they do not advocate) is a trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”

Mark Szpak, a partner at the Boston office of Ropes & Gray law firm, told that the case illustrates courts' reluctance to hastily approve class-action certification without substantial proof from plaintiffs.

“This is a continuation of a trend that we've seen in class-action [cases] in a lot of areas, and now we see it playing out in the cyber [realm] as well,” Szpak said. “Plaintiffs have to be able to demonstrate at certification stage that they have a workable theory of damages and proof…I think this ruling will put a lot of pressure on plaintiffs to consider getting an expert early in the case, [though] getting an expert alone is just a step along the way.”

Richard Bortnick, an attorney at the Philadelphia office of Cozen O'Connor law firm, said recently issued Securities and Exchange Commission (SEC) rules have served as the largest driver for companies to get their security priorities in order, not the threat of lawsuits.

In 2011, the SEC issued requirements stating that companies must disclose known or potential cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky,” the guidance says.  

“I think that has incentivized companies far more than litigation or even the threat of a breach,” Bortnick said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.