Is the legal tide turning for consumers whose personal on-line information is hacked? Data security breaches are becoming more common, but until recently, consumers have been largely unsuccessful in suing companies where their personal information was exposed. In fact, most courts have dismissed these suits even before they get to trial. The courts’ basic legal theory has been “no harm, no foul.” So long as consumers’ accounts were reimbursed for any fraudulent charges resulting from the hacking, their other related costs resulting from the inconvenience were not recoverable.
Recent court decisions suggest a change in the tide. Last month the United States Court of Appeals for the First Circuit (which includes Maine) overturned the lower court’s dismissal of a suit against Hannaford Bros. where hackers stole up to 4.2 million credit and debit card numbers leading to approximately 1,800 fraudulent charges on those accounts worldwide. The federal court ruled that consumers could recover money they spent on fees to replace their exposed credit and debit card accounts and to obtain identity theft insurance and credit monitoring services as reasonable “mitigation costs.”
Consumer mitigation costs were also recognized as a basis for compensation by the federal Ninth Circuit Court of Appeals last year in a case against Gap, Inc. Although the consumer failed to ask for compensation for his time and money spent on obtaining credit monitoring services, the court said that, had he requested it, it would have at least considered those costs as recoverable.
In a more novel approach, in April of this year, a federal district court in California declined to dismiss a consumer’s suit against Rockyou, Inc. The court tentatively recognized that the plaintiff had a “property right” in his personal information and that unauthorized exposure of that information “caused him to lose some ascertainable but unidentified ‘value’ and/or property right inherent in the [personal information].” Following the court’s ruling, Rockyou, Inc. agreed to pay the consumer and his attorney $292,000.00.
New statutes are also being enacted or considered for enactment at both the state and federal level. Massachusetts, Rhode Island, and Connecticut have enacted state legislation requiring companies to implement data security policies and measures to protect consumers’ personal information, subject to fines for failing to comply. Recently, a Massachusetts restaurant group was fined $110,000.00 for failing to take reasonable security measures to protect its customers’ credit card information. No fewer than seven proposed statutes have been introduced in Congress this year seeking to establish mandatory data security standards.
The First Circuit Court’s ruling in the Hannaford Bros. case is the most recent sign of a shift in the data security landscape. Companies that have been victimized by data security breaches have, until recently, largely been able to avoid liability, but this may no longer be the case. Companies are well advised to be prepared and put in place cyber-data security policies and practices to protect both their customers and themselves.