Could Retailers That Suffer Data Breaches be Facing Liability to Consumers?
November 03, 2009
by Michael Fleming
Any retailer that has been the target of a data breach which exposed consumer financial information has likely suffered a number of legal consequences, ranging from the costs of detecting and closing the leak, charges that might be owed to credit card systems, and costs to give breach notices to affected consumers.
However, one cost has generally not fallen on the retailer – liability owed to the affected consumers. Courts have been reluctant to give damages to consumers, more or less on the grounds that the zero-liability programs offered by their credit card banks have left the consumers with little in hard-dollar losses.
However, the Maine courts are now pondering a question posed by a lawyer representing a class of consumers affected by the massive 2007-2008 breach at the Hannaford supermarket chain (primarily impacting consumers in New England). A trial court judge had earlier thrown out consumer claims, but upon reflection has apparently reconsidered the issue, and has now asked a narrow question of the Maine Supreme Court: "Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?"
The fact that the question is being asked does not mean the Maine courts will ultimately change their approach. However, retailers should be concerned that pressures from the consumer bar will continue in Maine and in all of the states, and that the risks of data breach losses as a whole are certainly not subsiding.
Obviously, any retailer that does not wish to be the next test case would do well to ensure that its systems are as up to date as possible. Good practices would include use of appropriate internal audits, use of outside security contractors, and a thorough review of business relationships and contracts with outside service providers. There is no guaranty that problems can be avoided, but the risks can be lowered by making data security a strategic part of any retail business plan.
- Michael Fleming is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice.