Are data breach mitigation costs cognizable damages?

In late 2007, Hannaford Supermarkets suffered one of the nation’s largest credit and debit card breaches to date. Millions of card numbers were exposed and thousands of fraudulent charges were made. The thieves went beyond the common database attacks and installed ''sniffers'' that intercepted customers’ credit and debit card data in real time. Following the breach announcement, several civil cases were filed and consolidated into a class-action lawsuit adjudicated in the U.S. District Court for the District of Maine, where it was initially held that a showing of injury-in-fact was lacking for all plaintiffs except for customers who sought reimbursement for the unreimbursed fraudulent charges. This is a common and expected outcome because the harm that is claimed in data breach cases is often the fear of future harm, which courts don’t recognize.

What is privacy harm? Stanford Center for Internet and Society Director of Consumer Privacy Ryan Calo provides a framework for understanding harm in his article “The Boundaries of Privacy Harm,” where he describes the subjective and objective categories of privacy harm. Calo describes these two privacy harm categories as "unwanted perception of observation"--subjective--and "unanticipated or coerced use of information concerning a person against that person"--objective. This conception of harm separates feelings of apprehension and vulnerability from the more easily defined actions that use personal information to inflict harm. Courts find that many data breach claims lack concrete or particularized harm. For courts to recognize harm in this context, a plaintiff must show that the injury or threat of injury is both real and immediate and not conjectural or hypothetical.

The Hannaford case was appealed to the U.S. Court of Appeals for the First Circuit and the opinion was published on October 20,

. The U.S. Court of Appeals reversed the trial court's dismissal of the negligence and breach of implied contract claims reasoning that some of the damages claimed were based on reasonable mitigation efforts, and those efforts constituted a legal injury. The court cited the Restatement (Second) of Torts Section 919, which allows recovery for "expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." The harm claimed under negligence and breach of implied contract theories was distinguished from the harm claimed in other data breach cases. Two factors seem to have persuaded the court that this data breach was different:

It’s worth looking at these factors in more depth because it will provide further insight into how broadly this case may be applied in the future.

First, the actual misuse of the data in the Hannaford case is critical. Many cases where credit cards were lost claim harm, but the harm is based on the risk of future misuse of the information, not actual misuse of the information; e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007) and Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775 (W.D. Mich. 2006). Where there is actual misuse, the court found it reasonable for customers to spend money purchasing new credit/debit cards and insurance or monitoring products to mitigate the costs of data theft. The reliance on objective expenditures is significant. Quantifying the harm of apprehension and feelings of vulnerability are much more difficult than quantifying objective costs that were incurred as a reasonable reaction to the risk presented. For future plaintiffs, tying damage claims to objective costs is important for success. Plaintiffs’ lawyers will advise their clients to purchase insurance or monitoring products to make mitigation damages more likely to succeed. For future defendants, portraying objective costs as unreasonable is probably the best defense. Lawyers defending companies that have suffered a data breach will advise their clients to offer free insurance or monitoring products to frustrate the plaintiffs’ ability to claim cognizable harm.

Second, the nature of the loss in the Hannaford case is also critical to establish cognizable harm. The court distinguished deliberate attempts to penetrate security systems from inadvertent losses, such as a lost laptop of backup tape. This may mean that inadvertent losses or even passive targeting may not give rise to liability for data holders. That kind of narrowness in determining reasonable mitigating expenditures is a signal that the court has not opened the floodgates.

In conclusion, it may be that for outlier situations, we will see cognizable damages in data breach cases, but the facts will likely need to resemble an all out personal data extracting attack which results in fraudulent charges and customers reacting with mitigating expenditures. The takeaway from the Hannaford case, at this time, is that objectively measureable mitigation damages will be the focus of plaintiffs in future data breach cases. It remains to be seen whether this decision will change the data breach landscape. Keep an eye on this case, and keep an even closer eye on your privacy and data security practices so that you won’t need to worry about the outcome.