STATE OF MAINE BUSINESS AND CONSUMER COURT CUMBERLAND, ss Location: Portland Docket No.: BCD-CV-{0- 9 ., J c_N- c u..tYJ ... ?J I tl.f(" -c1 '- ) DIGITAL FEDERAL CREDIT UNION, ) ) Plaintiff, ) ) DECISION AND ORDER V. ) (Motion to Report and Duty Issue) ) HANNAFORD BROTHERS COMPANY, ) ) Defendant ) )
Pursuant to M.R. App. P. 24(c), Defendant Hannaford Brothers Co. (Hannaford) moves
to report two issues to the Law Court:
Can a plaintiff recover purely economic losses in negligence when the plaintiff has suffered no physical harm to person or property?
Must an issuing bank's negligent misrepresentation claim against a merchant in a data breach case fail as a matter of law when the only representation alleged is the mere acceptance of an electronic payment card?
(M. Report 1.) Hannaford seeks a report following the Court's October 27, 2011, summary
judgment order (hereinafter, "Order") in which the Court 1) declined to adopt the economic loss
doctrine, allowing Plaintiff Digital Federal Credit Union's (DFCU) negligence claim to proceed;
and 2) concluded that issues of material fact precluded the entry of judgment on DFCU's
negligent misrepresentation claim. (Order 11-12.)
Although the Court did not adopt or apply the economic loss doctrine, the Court
determined that the summary judgment record generated an issue as to whether Hannaford owed
a duty as alleged by DFCU.
1 PFCU alleges that Hannaford
had a duty to exercise reasonable care in the handling and safeguarding of cardholder information when it engaged in the card transactions with their customer and their banks. This duty included reasonable care in gathering and maintaining the information to prevent unauthorized access, possession, and/or misuse of the information.
(Amend. Compl. ~ 30.) Because the parties had not directly addressed the duty issue, 1 after the
Court issued the order on Hannaford's motion for summary judgment, the Court requested that
the parties brief the issue of whether Hannaford owed DFCU a duty of care.Z
Duty of Care
Duty "involves the question of whether the defendant is under any obligation for the
benefit of the particular plaintiff." Searles v. Trs. of St. Joseph's Colt., 1997 ME 128, ~ 5, 695
A.2d 1206 (quotation marks omitted). "In a tort analysis, the duty is always the same - to
conform to the legal standard of reasonable conduct in the light of the apparent risk." Alexander
v. Mitchell, 2007 ME 108, ~ 15,930 A.2d 1016 (quotation marks omitted). Both the existence of
a duty of care and the scope of that duty are questions of law. See id. ~ 14.
Duty initially focuses on the foreseeability of risk. "The common-law test of duty is the
probability or foreseeability of injury to the plaintiff. The risk reasonably to be perceived within
the range of apprehension delineates the duty to be performed and the scope thereof." Fortin v.
Roman Catholic Bishop of Portland, 2005 ME 57,~ 75, 871 A.2d 1208 (quoting Brewer v.
Roosevelt Motor Lodge, 295 A.2d 647,651 (Me. 1972)).
[A] court's task-in determining "duty"-is not to decide whether a particular plaintiff's injury was reasonably foreseeable in light of a particular defendant's conduct, but rather to evaluate more generally whether the category of negligent
1 For the purposes of summary judgment motion only, the parties presumed that Hannaford was negligent in allowing customers' data information to be accessed by unauthorized third parties. 2 The Court requested briefing on the duty issue prior to oral argument on the motion to report. The Court allowed subsequent briefing on the particular policy considerations implicated by the duty advocated by DFCU.
2 conduct at issue is sufficiently likely to result in the kind of harm experienced that liability may appropriately be imposed on the negligent party.
Cameron v. Pepin, 610 A.2d 279, 282 (Me. 1992) (quoting Thing v. La Chusa, 771 P.2d 814,
819 n.3 (Cal. 1989)).
Foreseeability, however, is not the only inquiry. See Cameron, 610 A.2d at 282. The
determination of whether a duty exists also requires a balancing of relevant policy
considerations. See Flanders v. Cooper, 1998 ME 28, ~ 4, 706 A.2d 589. When faced with a
party arguing for recognition of a new duty of care, the Law Court has explained that "[i]n the
decision of whether or not there is a duty, many factors interplay: the hand of history, our ideals
of morals and justice, the convenience of administration of the rule, and social ideas as to where
the loss should fall." Trusiani v. Cumberland & York Distribs., Inc., 538 A.2d 258, 261 (Me.
1988) (quoting William Prosser, Palsgraf Revisited, 52 MICH. L. REV. 1, 15 (1953)). "In the end
the court will decide whether there is a duty on the basis of the mores of the community always
keeping in mind the fact that we endeavor to make a rule in each case that will be practical and in
keeping with the general understanding of mankind." !d.
The pleadings and the summary judgment record establish that DFCU is a foreseeable
plaintiff insofar as DFCU's loss as an issuing bank is a foreseeable consequence of a data
security breach by a merchant such as Hannaford. In this case, therefore, the Court must
examine the pertinent policy considerations to determine whether a legal duty should be
imposed.
DFCU, relying on Sovereign Bank v. BJ's Wholesale Club, Inc., 395 F. Supp. 2d 183
(M.D. Pa. 2005), argues that the nature of the risk involved and foreseeability of the harm,
together with the public interest in holding parties responsible for their negligent conduct, weigh
in favor of recognizing a duty in this case. DFCU asserts that the Court's failure to recognize a
3 duty would result in a reduction of security measures for cardholders' data because a rational
merchant, without concern for the risk of loss, would not incur the cost of providing adequate
security for cardholder data. When a party creates a cognizable risk of harm, DFCU argues, it is
both fair and socially efficient to assign liability for the harm that reasonable precautions could
have avoided. See People Express Airlines, Inc. v. Consol. Rail Corp., 495 A.2d 107, 117-18
(N.J. 1985). DFCU maintains, therefore, that the imposition of liability upon Hannaford for
harm resulting from its lack of security precautions is fair because Hannaford is in the best
position to prevent the theft of the cardholder data. See Sovereign Bank, 395 F. Supp. 2d at 194.
Hannaford counters that the Court should not recognize a tort duty under the
circumstances of this case in part because the Visa system, of which DFCU is a member, has
created a contractual scheme designed to mitigate losses resulting from data theft: Account Data
Compromise Recovery, or ADCR. (See Supp. S.M.F. ' ' 22-33; Opp. S.M.F. ' ' 22-33.)
According to Hannaford, the allocation of risk contemplated by the participants in the system
should not be supplemented with a tort remedy because the consensual, interrelated, contractual
Free access — add to your briefcase to read the full text and ask questions with AI
STATE OF MAINE BUSINESS AND CONSUMER COURT CUMBERLAND, ss Location: Portland Docket No.: BCD-CV-{0- 9 ., J c_N- c u..tYJ ... ?J I tl.f(" -c1 '- ) DIGITAL FEDERAL CREDIT UNION, ) ) Plaintiff, ) ) DECISION AND ORDER V. ) (Motion to Report and Duty Issue) ) HANNAFORD BROTHERS COMPANY, ) ) Defendant ) )
Pursuant to M.R. App. P. 24(c), Defendant Hannaford Brothers Co. (Hannaford) moves
to report two issues to the Law Court:
Can a plaintiff recover purely economic losses in negligence when the plaintiff has suffered no physical harm to person or property?
Must an issuing bank's negligent misrepresentation claim against a merchant in a data breach case fail as a matter of law when the only representation alleged is the mere acceptance of an electronic payment card?
(M. Report 1.) Hannaford seeks a report following the Court's October 27, 2011, summary
judgment order (hereinafter, "Order") in which the Court 1) declined to adopt the economic loss
doctrine, allowing Plaintiff Digital Federal Credit Union's (DFCU) negligence claim to proceed;
and 2) concluded that issues of material fact precluded the entry of judgment on DFCU's
negligent misrepresentation claim. (Order 11-12.)
Although the Court did not adopt or apply the economic loss doctrine, the Court
determined that the summary judgment record generated an issue as to whether Hannaford owed
a duty as alleged by DFCU.
1 PFCU alleges that Hannaford
had a duty to exercise reasonable care in the handling and safeguarding of cardholder information when it engaged in the card transactions with their customer and their banks. This duty included reasonable care in gathering and maintaining the information to prevent unauthorized access, possession, and/or misuse of the information.
(Amend. Compl. ~ 30.) Because the parties had not directly addressed the duty issue, 1 after the
Court issued the order on Hannaford's motion for summary judgment, the Court requested that
the parties brief the issue of whether Hannaford owed DFCU a duty of care.Z
Duty of Care
Duty "involves the question of whether the defendant is under any obligation for the
benefit of the particular plaintiff." Searles v. Trs. of St. Joseph's Colt., 1997 ME 128, ~ 5, 695
A.2d 1206 (quotation marks omitted). "In a tort analysis, the duty is always the same - to
conform to the legal standard of reasonable conduct in the light of the apparent risk." Alexander
v. Mitchell, 2007 ME 108, ~ 15,930 A.2d 1016 (quotation marks omitted). Both the existence of
a duty of care and the scope of that duty are questions of law. See id. ~ 14.
Duty initially focuses on the foreseeability of risk. "The common-law test of duty is the
probability or foreseeability of injury to the plaintiff. The risk reasonably to be perceived within
the range of apprehension delineates the duty to be performed and the scope thereof." Fortin v.
Roman Catholic Bishop of Portland, 2005 ME 57,~ 75, 871 A.2d 1208 (quoting Brewer v.
Roosevelt Motor Lodge, 295 A.2d 647,651 (Me. 1972)).
[A] court's task-in determining "duty"-is not to decide whether a particular plaintiff's injury was reasonably foreseeable in light of a particular defendant's conduct, but rather to evaluate more generally whether the category of negligent
1 For the purposes of summary judgment motion only, the parties presumed that Hannaford was negligent in allowing customers' data information to be accessed by unauthorized third parties. 2 The Court requested briefing on the duty issue prior to oral argument on the motion to report. The Court allowed subsequent briefing on the particular policy considerations implicated by the duty advocated by DFCU.
2 conduct at issue is sufficiently likely to result in the kind of harm experienced that liability may appropriately be imposed on the negligent party.
Cameron v. Pepin, 610 A.2d 279, 282 (Me. 1992) (quoting Thing v. La Chusa, 771 P.2d 814,
819 n.3 (Cal. 1989)).
Foreseeability, however, is not the only inquiry. See Cameron, 610 A.2d at 282. The
determination of whether a duty exists also requires a balancing of relevant policy
considerations. See Flanders v. Cooper, 1998 ME 28, ~ 4, 706 A.2d 589. When faced with a
party arguing for recognition of a new duty of care, the Law Court has explained that "[i]n the
decision of whether or not there is a duty, many factors interplay: the hand of history, our ideals
of morals and justice, the convenience of administration of the rule, and social ideas as to where
the loss should fall." Trusiani v. Cumberland & York Distribs., Inc., 538 A.2d 258, 261 (Me.
1988) (quoting William Prosser, Palsgraf Revisited, 52 MICH. L. REV. 1, 15 (1953)). "In the end
the court will decide whether there is a duty on the basis of the mores of the community always
keeping in mind the fact that we endeavor to make a rule in each case that will be practical and in
keeping with the general understanding of mankind." !d.
The pleadings and the summary judgment record establish that DFCU is a foreseeable
plaintiff insofar as DFCU's loss as an issuing bank is a foreseeable consequence of a data
security breach by a merchant such as Hannaford. In this case, therefore, the Court must
examine the pertinent policy considerations to determine whether a legal duty should be
imposed.
DFCU, relying on Sovereign Bank v. BJ's Wholesale Club, Inc., 395 F. Supp. 2d 183
(M.D. Pa. 2005), argues that the nature of the risk involved and foreseeability of the harm,
together with the public interest in holding parties responsible for their negligent conduct, weigh
in favor of recognizing a duty in this case. DFCU asserts that the Court's failure to recognize a
3 duty would result in a reduction of security measures for cardholders' data because a rational
merchant, without concern for the risk of loss, would not incur the cost of providing adequate
security for cardholder data. When a party creates a cognizable risk of harm, DFCU argues, it is
both fair and socially efficient to assign liability for the harm that reasonable precautions could
have avoided. See People Express Airlines, Inc. v. Consol. Rail Corp., 495 A.2d 107, 117-18
(N.J. 1985). DFCU maintains, therefore, that the imposition of liability upon Hannaford for
harm resulting from its lack of security precautions is fair because Hannaford is in the best
position to prevent the theft of the cardholder data. See Sovereign Bank, 395 F. Supp. 2d at 194.
Hannaford counters that the Court should not recognize a tort duty under the
circumstances of this case in part because the Visa system, of which DFCU is a member, has
created a contractual scheme designed to mitigate losses resulting from data theft: Account Data
Compromise Recovery, or ADCR. (See Supp. S.M.F. ' ' 22-33; Opp. S.M.F. ' ' 22-33.)
According to Hannaford, the allocation of risk contemplated by the participants in the system
should not be supplemented with a tort remedy because the consensual, interrelated, contractual
remedy is a more just and efficient distribution of loss among sophisticated parties. Hannaford
maintains that the creation of a tort remedy for issuing banks against merchants for a data
security breach would fundamentally alter the parties' contractual relationships, and that the
recognition of a duty of care would impose potential liability on merchants out of proportion to
fault given that DFCU's proposed duty would apply equally to small merchants and large
enterprises. Hannaford also argues that because legislative bodies are better suited than courts to
gather information and weigh the competing interests of relevant stakeholders, courts should
defer to legislative bodies to assess all the considerations of shifting economic losses between
4 and among parties. See Barber Lines AJS v. MIV Donau Maru, 764 F.2d 50, 55 (1st Cir. 1985)
(Breyer, J.).
The parties present compelling arguments for the Court's consideration.4 In essence,
DFCU asks the Court to impose an extra-contractual duty upon merchants to issuing banks
participating in the Visa system. While Hannaford's position arguably immunizes culpable
parties from the losses that it and other merchants might cause for certain parties, DFCU's
position would impose potentially boundless liability iri tort and would likely fundamentally
restructure everyday consumer transactions.
The Court is mindful of the fact that the Law Court understandably scrutinizes and is
somewhat reticent to recognize new common law duties of care, see Estate of Cilley v. Lane,
2009 ME 133, ~~ 19-21, 985 A.2d 481, particularly when there is no direct relationship between
the parties, see Alexander v. Mitchell, 2007 ME 108, ~ 31,930 A.2d 1016; Flanders, 1998 ME
28, ~ 14,706 A.2d 589; Trusiani, 538 A.2d at 262-63. Consistent with this view, as explained
further below, the Court concludes that the relevant policy considerations militate against the
imposition of a duty upon a merchant for the benefit of an issuing bank for data security breach
under the circumstances of this case.
First, DFCU and other issuing banks agreed to the terms of the Visa system, presumably
with full knowledge of the terms of the agreement, including the way in which the risk of loss
was allocated among the various participants. (See Supp. S.M.F. ~~ 1-4, 22-33; Opp. S.M.F.
~~ 1-4, 22-33.) DFCU thus chose to manage the risk that it assumed, including the risk of a
potential breach of merchants' security systems, pursuant to the terms of the Visa agreement and
other contractual arrangements. Indeed, DFCU's alleged loss in this case is predicated on a
4 Both parties have consistently provided the Court with cogent arguments, written and oral, on the various legal issues presented in the case.
5 contractual arrangement with its cardholders to hold the cardholders harmless for fraudulent
transactions. (A.S.M.F. ~ 17; Reply S.M.F. ~ 17.) The nature and extent of the contractual
arrangements that govern each Visa transaction strongly suggest that the contractual obligations
of the parties to those contracts should govern, and that the imposition of a duty in tort is
unnecessary and potentially inconsistent with the terms of the parties' agreements. Moreover,
the Court is not persuaded by DFCU's argument that by not recognizing a duty in this case, the
Court would provide merchants with a disincentive to adopt adequate security measures to
protect cardholders' data. Merchants have many reasons, including consumer confidence and
potential liability directly to consumers for any breach, to protect cardholders' data.
In addition, because the scope of the duty urged by DFCU covers a number of situations
not presented to the Court in this case (e.g., theft of cardholder data by merchants' employees,
internet sales by merchants in Maine), the Court finds merit to the argument that the Legislature
is better suited to assess the various policy considerations that are relevant to the allocation of
responsibility between issuing banks and merchants for losses resulting from a data security
breach. See Barber Lines AIS, 764 F.2d at 55. In Maine, although the Legislature has mandated
that individuals and business entities that maintain computerized data of personalized
information must provide notice to Maine's residents of a security breach that results in the
possible misuse of that personalized information, see 10 M.R.S. § 1348 (2011), to date, the
Legislature has not imposed a duty upon merchants for the benefit of issuing banks. Cf. Estate of
Cilley, 2009 ME 133, ~ 19, 985 A.2d 481 (rejecting the creation of a new duty of care in a case
where the Legislature had declined to adopt criminal sanctions for the same activity).5
5 The Court is also reluctant to recognize a duty of care with potentially unlimited liability for merchants that honor major credit cards, regardless of the size of the merchants' businesses. See Trusiani, 538 A.2d at 261.
6 For the reasons articulated above, therefore, the Court declines to recognize the duty of
care asserted by DFCU. 6
Motion to Report
Because the Court has determined that Hannaford does not owe DFCU a duty of care as
alleged, the portion of the motion to report related to DFCU's negligence claim is moot, see
Halfway House v. City of Portland, 670 A.2d 1377, 1379-1380 (Me. 1996), and the only issue
remaining in Hannaford's motion relates to negligent misrepresentation. M.R. App. P. 24(c)
provides that
If the trial court is of the opinion that question of law involved in an interlocutory order or ruling made by it ought to be determined by the Law Court before any further proceedings are taken, it may on motion of the aggrieved party report the case to the Law Court for that purpose and stay all further proceedings except such as necessary to preserve the rights of the parties without making any decision.
A motion to report an interlocutory ruling is also subject to the requirements of a motion to
report by agreement: sufficient importance and doubt. See M.R. App. P. 24(a), (b); Toussaint v.
Perreault, 388 A.2d 918, 920 (Me. 1978); 3A Harvey, Maine Civil Practice § A24:4 at 194
(3d ed. 2011). Questions involving novel issues of law or upon which there is no statutory
guidance may meet the requirements for importance and doubt. See Liberty Ins. Underwriters,
Inc. v. Estate ofFaulkner, 2008 ME 149, ~ 7, 957 A .2d 94; Guardianship of /.H., 2003 ME 130,
~ 7, 834 A.2d 922. When there is "no serious dispute on the legal issue" or when an
interlocutory ruling "involve[s] only the resolution of a factual dispute between litigants,"
6 The Court recognizes that some of the same policy considerations might support extension of the economic loss doctrine to the circumstances of this case. The Court also acknowledges that the issue of duty and the principles of the economic loss doctrine are in many ways intertwined. Accordingly, one could argue that the Court has in essence applied the economic loss doctrine in this case. By focusing on the issue of duty, however, the Court's decision is limited to the facts of this case, is consistent with the Law Court's duty analysis, and does not apply the doctrine to circumstances beyond those discussed by the Law Court in Oceanside at Pine Point Condominium Owners Association v. Peachtree Doors, Inc., 659 A.2d 267 (Me. 1995).
7 however, a motion to report is inappropriate. Toussaint, 388 A.2d at 920. Further, issues that
can be resolved utilizing well-established rules of law are equally inappropriate for report. See
Depres v. Moyer, 2003 ME 41, ~ 14, 827 A.2d 61.
Unlike M.R. App. P. 24(a) and (b), a report pursuant to M.R. App. P. 24(c) does not
mandate that the answer to the reported question by the Law Court will fully dispose of the
action, although whether it will is a relevant consideration. See Meiners v. Aetna Cas. & Sur.
Co., 663 A.2d 6, 8 (Me. 1995); 3A Harvey, Maine Civil Practice § A24:4 at 194. Other
considerations include whether "the question raised on report is an issue that might not have to
be decided at all because of other possible dispositions," see State v. DiPeitro, 2009 ME 12,
~ 11, 964 A.2d 636, and whether the factual record is adequately developed such that the Law
Court can make a decision on the report, see 3A Harvey, Maine Civil Practice § A24:4 at 193.
Finally, the court must be convinced that the interests of justice and particularly the just, speedy
and inexpensive determination of the action will be served by the interlocutory determination.
See M.R. Civ. P. 1; Meiners, 663 A.2d at 7 (noting the parties argued the interlocutory report
would save the expense of fully litigating the matter).
The tort of negligent misrepresentation, as adopted by the Law Court, is as follows:
One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.
RESTATEMENT (SECOND) OF TORTS § 552(1) (1977); accord Chapman v. Rideout, 568 A.2d 829,
830 (Me. 1990) (adopting section 552(1) of the RESTATEMENT (SECOND) OF TORTS). The Court
denied summary judgment to Hannaford on DFCU's negligent misrepresentation claim because
the record presented issues of material fact on the "exact nature an extent of any representations
8 made to DFCU" and "regarding DFCU's reliance on any representations made by Hannaford and
whether that reliance was reasonable." (Order 12.) The relationship between Hannaford and
DFCU may be novel in negligent misrepresentation claims, but the legal principles are well
established. In addition, the issues of material fact that precluded summary judgment on this
claim weigh against reporting because in the Court's view the factual record is not adequately
developed. The Court is confident that when presented with a factually developed record, the
Court and/or a jury will be able to apply the facts to the established principles of negligent
misrepresentation.
Conclusion
Based on the foregoing analysis, the Court orders as follows:
1. The Court denies Hannaford's motion to report.
2. The Court enters judgment on Count I of Plaintiff Digital Federal Credit Union's
Complaint in favor of Hannaford.
Pursuant to M.R. Civ. P. 79(a), the Clerk shall incorporate this Decision and Order into
the docket by reference.
Dated: 1/tit J.._ 0 . '
J stice, Maine Business & Consumer Court
Ent~red on the Docket: J '/f --lfl Cop1es sent via Mall_ Electronically .M{" 9 CV-10-04 Digital Federal Credit Union v. Hannaford Bros. Co.
Local Counsel for Plaintiff:
Bernard Kubetz, Esq. Eaton Peabody 80 Exchange St. PO Box 1210 Bangor ME 04402
Out of State Counsel for Plaintiff:
Joseph DeBelder, Esq. Henrichsen Siegel, PLLC 1648 Osceola St Jacksonville FL 32204
Defense Counsel:
Clifford Ruprecht, Eq. Nolan Reichl, Esq. Pierce Atwood Merrills Wharf 254 Commercial St Portland ME 0401