Data Breach Costs: The Ongoing Hannaford Breach Saga.

The Hannaford Brothers data breach saga chugs along: The US Circuit Court of Appeals in Boston has deemed that plaintiffs can recover for claims of identity theft insurance and replacement card fees.

Previous posts regarding Hannaford can be found here and here.

If you’ll recall, in 2008 the supermarket chain Hannaford Brothers made a splash in the news when they admitted that over 4 million credit and debit card numbers were stolen.  This was later tied to the TJX hacking incident, both incidents being tied to the same hacker.  In both cases, not using proper encryption in the companies’ wireless network allowed the hackers in.

One thing to note about the Hannaford case is that only credit card numbers were stolen.  As such, in most (if not all) states, the incident is not classified as a data breach: other information, such as a last name, would be required for the data theft to become a data breach under the law — or, at least, to become a notifiable data breach..

Watershed Mark?

While I’m not a legal expert by any means, I’ve found out over the years that lawsuits brought forth by the victims of data breaches are invariably tossed out because there are no grounds for the lawsuits:

  • The fear of being victimized in the future is not grounds for winning cases.  Courts deal with damages that have happened, not damages that will happen (or might happen).

  • Fraudulent charges are made whole by the credit card companies, so there are no damages.

  • Lost time dealing with fixing one’s credit statement are not “recoverable.”

To the lower courts, their main role in such cases is ensuring that victims are “made whole.”  If there is nothing to be made whole, there is not much the courts can do.

However, the Court of Appeals notes in its latest ruling:

“Plaintiffs’ claims for identify theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse,” a three-judge appeals court panel said in its Oct. 20 ruling. “Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable,” the court ruled in partly affirming and partly reversing a lower court ruling. []

Hannaford Bothers Data Breach Timeline

Seeing how the Hannaford case doesn’t show any signs of going away any time soon, I thought I’d create a timeline for future reference.

2007 – DEC – 07 Attack against Hannaford begins (
2008 – FEB – 27 Breach discovered (
2008 – MAR – 08 Incident discovered by Hannaford (
2008 – MAR – 10 Attack is contained (
2008 – MAR – 10 Major credit card associations given compromised card numbers (
2008 – MAR – 13 Card associations notify member banks of the compromised card numbers (
2008 – MAR – 17 Hannaford reports incident / makes announcement (
2008 – MAR – 19 First lawsuit against Hannaford is filed in Maine (
2009 – MAY – 12 All claims against Hannaford dismissed by Judge Hornby except for one (
2007 – DEC – 07 Attack against Hannaford begins (
2009 – OCT – 05 Judge Hornby files for input from Maine Supreme Judicial Court (
2011 – OCT – 20 United States Court of Appeals, First Circuit decides affected Hannaford customers have a valid
claim for identity theft insurance and credit card replacement fees

[ ]
[ ]
[ ]
[ ]
[ ]
[ ]

Related Articles and Sites:

Comments (0)

Let us know what you think