The Hannaford breach, which compromised nearly five million card accounts, came to light in March of 2008 and was estimated to have resulted in 1,800 cases of fraud, according to industry security experts.
In his decision, U.S. District Court Judge D. Brock Hornby expressed sympathy for consumers whose data were compromised but maintained that there was not place in current legal remedy for their claims.
"I merely conclude that under current Maine law, consumers whose payment data are stolen can recover against the merchant only if the merchant's negligence caused a direct loss to the consumer's account," Hornby wrote.
The decision is silent on any claims Hannaford might face from card issuers damaged by the breach. Currently, court records do not indicate any legal complaints have been filed by card issuers against the retailer for the card losses.
The Maine Credit Union League declined to comment on the decision.
"There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence," Hornby wrote.
Card security experts familiar with the case highlighted that Hornby ruled against almost all the consumer cases on the grounds that the consumers' losses were made whole by their card issuers' "zero-loss" programs. Because they had been made whole, the judge reasoned, they had no damages for which they could pursue legal remedies. The zero-loss programs, in effect, protected Hannaford from the consequences of not protecting card data, and thus reduced the incentive to put stronger security into place.
Judge Hornby rejected all but one of the claims brought by 21 plaintiffs against the Portland, Maine-based chain of more than 200 stores in three states. The one complaint that survived is a woman who had not been compensated for her card loss.
The judge recognized that his decision would touch on ongoing payments issues but kept his own decision very narrow. "Recurrent reports about breaches of electronic data systems-of governmental agencies, the nation's utility grid, merchants or other institutions-have generated increased apprehension, as consumers learn that the convenient card-based alternatives to cash turn out to have their own risks," Hornby wrote. "This is not the first lawsuit over who bears the risk of electronic data theft, and it certainly will not be the last."
However, the judge refused to offer an opinion as to whether the Maine legislature or Congress should pass laws providing for increased consumer protection. "Such a decision involves complex arguments regarding the adequacy of current consumer protection, efficient risk allocation, the economics of doing business, and the efficacy of lawsuits as a way to resolve such issues," Hornby added. "Nor do I determine whether the Maine Law Court should develop Maine common law to address these issues differently."