In Re Hannaford Bros. Co. Customer Data Security Breach Litigation

2010 ME 93, 4 A.3d 492, 2010 Me. LEXIS 97, 2010 WL 3633731

• Court: Supreme Judicial Court of Maine
• Decided: September 21, 2010
• Docket: Docket: Fed-09-586
• Status: Published

Opinion

JABAR, J.

[¶ 1] The United States District Court for the District of Maine (Hornby, J.), acting pursuant to 4 M.R.S. § 57 (2009) and M.R.App. P. 25, has certified two questions of state law to this Court for review. These questions arise from a mul-ti-count complaint filed against Hannaford Bros. Co. by customers whose financial information was stolen during a breach of Hannaford’s computer system and who expended time and effort to identify and remediate fraudulent charges on their credit and debit card accounts. The questions certified are:

(1) “In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?”

(2) “If the answer to question # 1 is yes under a negligence claim and no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purely economic harm absent personal injury, physical harm to property, or misrepresentation?”

We answer the federal court’s first question in the negative and accordingly do not address the second question.

I. CASE HISTORY

[¶ 2] Between December 2007 and March 2008, data thieves breached Hanna-ford’s computer system and stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PINs, and other information belonging to customers who had used Hannaford’s electronic payment processing services. Visa, Inc., notified Hannaford of the breach in late February of 2008. Hannaford discovered the means of the thieves’ access on March 8, 2008, contained it, notified financial institutions on March 10, 2008, and publicly disclosed the breach on March 17, 2008.

[¶ 3] Due to the data theft, a number of Hannaford customers initially experienced fraudulent and unauthorized charges on their credit card accounts or bank accounts. These customers expended time and effort identifying the fraudulent charges and convincing their banks and credit card companies that the charges should be reversed. By October 10, 2008, when a group of twenty-one representative plaintiffs filed a complaint in the United States District Court for the District of Maine, only one named plaintiff had outstanding fraudulent charges on her account. The other named plaintiffs had already been reimbursed by their banks or credit card companies.

[¶ 4] The plaintiffs’ complaint alleged breach of implied contract (Count 1), breach of implied warranty (Count 2), breach of a confidential relationship (Count 3), failure to advise customers of the data theft (Count 4), strict liability (Count 5), negligence (Count 6), and unfair trade practices (Count 7). The plaintiffs sought damages to compensate them for the expenditure of time and effort necessary to remedy the disruption of their financial affairs and for various fees, charges, and lost reward points.

[¶ 5] Hannaford filed a motion to dismiss the plaintiffs’ consolidated complaint for failure to state a claim upon which relief may be granted, pursuant to Fed. R.Civ.P. 12(b)(6). After a hearing, the court granted the motion to dismiss in part and denied it in part. In re Hannaford Bros. Co. Customer Data See. Breach Litig., 613 F.Supp.2d 108, 136 (D.Me.2009). The court dismissed Counts 2, 3, 4, and 5 as to all plaintiffs. Id. at 119-26, 136. For the remaining counts, the court determined that dismissal was dependent upon whether the plaintiffs had suffered an injury for which Maine law would grant relief. Id. at 131.

[¶ 6] To make this determination, the court identified three categories of plaintiffs: (1) those who had never experienced a fraudulent charge; (2) the sole plaintiff who still had outstanding fraudulent charges; and (3) those who had fraudulent charges that had been reversed. Id. at 131-35. Citing numerous data-breach cases from other jurisdictions, the court determined that the first category of plaintiffs experienced only a risk of injury and therefore had no recoverable damages. Id. at 131-33. For the plaintiff in the second category, the court found that the fraudulent charges on her account were a cognizable injury. Id. at 133. Finally, the court found that for those plaintiffs who had already been reimbursed, their claims for various consequential losses, such as the loss of accumulated reward points and the time spent identifying and persuading financial institutions to reverse fraudulent charges, failed because the losses were “too remote, not reasonably foreseeable, and/or speculative.” Id. at 134. Specifically, the court concluded that there was “no way to value and recompense ... time and effort,” noting that “[tjhose are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence.” Id.

[¶ 7] Based on this reasoning, the court granted Hannaford’s motion to dismiss the claims of all the plaintiffs except Counts 1, 6, and 7 made by the plaintiff with recoverable damages. Id. at 136. However, after the court’s ruling, the remaining plaintiffs bank fully reimbursed all contested charges. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 660 F.Supp.2d 94, 97 (D.Me.2009). The parties filed a stipulation to this effect with the court, effectively ending the litigation. Id. Shortly thereafter, the plaintiffs moved for reconsideration and for certification of questions of law to this Court. Id. Relying on the Restatement (Second) of Torts § 919 (1979), the plaintiffs asserted that time and effort expended to avoid or remediate harm from fraudulent charges was a cognizable loss, regardless of whether they suffered other losses. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 660 F.Supp.2d at 101. The court agreed that Maine law regarding recoverability of damages for time and effort alone was uncertain and, as a result, it certified the first question. See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D.Me.2009). Because, depending upon our answer to the first question, the economic loss doctrine would be dispositive of the plaintiffs’ claim, the court also certified a second question to be answered if we concluded that time and effort alone was a cognizable injury only under Maine law of negligence. See id. The court stayed further briefing on the motion for reconsideration pending an answer from us on the certified questions. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 660 F.Supp.2d at 103.

II. DISCUSSION

[¶ 8] The plaintiffs here have suffered no physical harm, economic loss, or identity theft. As the federal district court recognized, actual injury or damage is an element of both negligence and breach of contract claims. See Estate of Cilley v. Lane, 2009 ME 133, ¶ 10, 985 A.2d 481, 485; Me. Energy Recovery Co. v. United Steel Structures, Inc., 1999 ME 31, ¶ 7, 724 A.2d 1248, 1250. We, therefore, are asked to determine whether time and effort alone, spent in a reasonable effort to avoid reasonably foreseeable harm, is a cognizable injury under Maine law of negligence or implied contract. We conclude that it is not.

A. Recovery for Time and Effort in Negligence

[¶ 9] The tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life. See W. Page Keeton et al., Prosser & Keeton on the Law of Torts § 30, at 165 (W. Page Keeton ed., 5th ed. 1984) (“Negligent conduct in itself is not such an interference with the interests of the world at large that there is any right to complain of it, or to be free from it, except in the case of some individual whose interests have suffered.”). Liability in negligence, therefore, ordinarily requires proof of personal injury or property damage. See Simmons, Zillman & Gregory, Maine Tort Law § 19.02 at 19-8 to 19-11 (2004 ed.). An individual’s time, alone, is not legally protected from the negligence of others. 1

[¶ 10] When personal injury is established, loss of time is a cognizable harm as it is related to loss of earning capacity or wages. See, e.g., Snow v. Villacci, 2000 ME 127, ¶¶ 9-12, 754 A.2d 360, 363-64; Fotter v. Butler, 145 Me. 266, 272, 75 A.2d 160, 163 (1950). Similar types of financial recovery are permissible in connection with property damage. See Walters v. Petrolane-Ne. Gas Serv., Inc., 425 A.2d 968, 973-74 (Me.1981) (approving damages for harm to property and lost profits in a negligence action). In each of these cases, because the time in question could be assigned a value reflecting a loss of earnings or earning opportunities resulting from personal injury or property damage, loss of time was a harm cognizable in negligence. See Snow, 2000 ME 127, ¶¶ 9-12, 754 A.2d at 363-64; Fotter, 145 Me. at 272, 75 A.2d at 163.

[¶ 11] Our case law, therefore, does not recognize the expenditure of time and effort alone as a harm. The plaintiffs contend that because their time and effort represented reasonable efforts to avoid reasonably foreseeable harm, it is compen-sable. However, we do not attach such significance to mitigation efforts.

[¶ 12] The doctrine of mitigation of damages, or avoidable consequences, encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant’s negligence by prohibiting recovery for any damages that the plaintiff could reasonably have avoided. See Walter v. Wal-Mart Stores, Inc., 2000 ME 63, ¶ 24, 748 A.2d 961, 970. A corollary of the mitigation doctrine permits the plaintiff to recover for costs and harms incurred during a reasonable effort to mitigate. See Marchesseault v. Jackson, 611 A.2d 95, 99 (Me.1992); Restatement (Second) of Torts § 919(1) (1979); 2 Dan B. Dobbs, Law of Remedies § 3.9 (2d ed.1993). However, it must still be established that the time and effort expended constitute a legal injury rather than an inconvenience or annoyance.

[¶ 13] Unless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence. See Snow, 2000 ME 127, ¶¶ 9-12, 754 A.2d at 363-64. The cases cited by the plaintiffs do not compel a contrary conclusion. In many of those cases, the party seeking recovery for time and effort expended had alleged at least one claim of intentional tort. See Craddock v. Jones, 143 So. 529, 531 (La.Ct.App.1932); McDonald v. North, 47 Barb. 530 (N.Y.Sup.Ct.1867); Bennett v. Lockwood & Carter, 20 Wend. 223, 224 (N.Y.Sup.Ct.1838); EMC Mortg. Corp. v. Jones, 252 S.W.3d 857, 868-69, 871, 872 (Tex.Ct.App.2008). Because liability is often more extensive in cases of intentional torts than those in negligence, intentional tort eases recognizing recovery for time and effort have little bearing on our analysis. Cf. Picher v. Roman Catholic Bishop of Portland, 2009 ME 67, ¶¶ 9-10, 29, 974 A.2d 286, 290, 295 (noting, in the context of a charitable immunity analysis, that recovery for intentional torts may be broader than it is for negligence claims); Garland v. Roy, 2009 ME 86, ¶ 26, 976 A.2d 940, 948. In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence. See Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *3 (Mass.App.Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 101 Kan. 516, 167 P. 1062, 1063-65 (1917).

[¶ 14] Contrary to the plaintiffs’ contention, our case law does not recognize time and effort as a compensable injury in the context of the plaintiffs’ negligence claim. We decline to expand recovery in negligence in these circumstances.

B. Recovery for Time and Effort in Contract

[¶ 15] Not every consequence of a breach of contract is a cognizable injury. See Rubin v. Matthews Int’l Corp., 503 A.2d 694, 696 (Me.1986); see also Cherny v. Emigrant Bank, 604 F.Supp.2d 605, 609 (S.D.N.Y.2009) (concluding that the receipt of unwanted spam after the plaintiffs personal e-mail address was disclosed did not constitute compensa-ble harm). Generally, contract damages are more restricted than compensatory damages for a tort. Stull v. First Am. Title Ins. Co., 2000 ME 21, ¶ 17, 745 A.2d 975, 981. For example, emotional distress suffered as a result of breach of contract is ordinarily not recoverable unless it is accompanied by physical injury or it results in serious emotional disturbance due to the nature of the contract. Marquis v. Farm Family Mut. Ins. Co., 628 A.2d 644, 651 (Me.1993); Rubin, 503 A.2d at 696-98; cf. Gayer v. Bath Iron Works Corp., 687 A.2d 617, 621 n. 3 (Me.1996) (listing specific types of contracts for which emotional distress damages may be available).

[¶ 16] As the federal district court pointed out, the time and effort expended by the plaintiffs here represent “the ordinary frustrations and inconveniences that everyone confronts in daily life.” In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F.Supp.2d at 134. Accordingly, we conclude that the expenditure of time and effort alone does not represent a cognizable injury recoverable in implied contract.

The entry is:

We answer certified question (1): “No, Maine law of negligence and implied contract does not recognize time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, as a cognizable injury in the absence of physical harm or economic loss or identity theft.” We do not address certified question (2).

1 . Some torts do recognize a remedy for loss of time without corresponding personal or property damage. These include nuisance, see Brown v. Watson, 47 Me. 161, 163 (1859); see also Eaton v. Cormier, 2000 ME 65, ¶ 5, 748 A.2d 1006, 1008 (explaining that compensation for inconvenience is recoverable in nuisance); false imprisonment, see Prentiss v. Shaw, 56 Me. 427, 431, 435 (1869); and abuse of process, see Simmons, Zillman & Gregory, Maine Tort Law § 3.06 at 3-11 (2004 ed.).

2 . Section 919(1) states: "One whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." Restatement (Second) of Torts § 919(1) (1979).