Judge Tosses Most Supermarket Data Breach Claims

By | May 14, 2009

Only those customers who weren’t reimbursed for fraudulent charges may sue the Hannaford Bros. supermarket chain over a data breach that exposed 4.2 million credit and debit card numbers to computer hackers, a federal judge has ruled.

The decision by U.S. District Judge D. Brock Hornby dismissed all but one of the civil claims brought after the data breach was revealed in March 2008.

Between Dec. 7, 2007, and March 10, 2008, hackers accessed card numbers used at 165 Hannaford stores in the Northeast and 106 Sweetbay stores in Florida. At least 1,800 numbers were stolen and used for unauthorized purchases, Hannaford officials have said.

Electronic payment processing services for all the transactions took place in Maine, where Hannaford is headquartered. And lawyers agreed last month that Maine law should apply.

In his decision, Hornby state law allows consumers to recover damages “only if the merchant’s negligence caused a direct loss to the consumer’s account.”

“When a merchant is negligent in handling a customer’s electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer’s account, the merchant is liable for that loss,” Hornby wrote. Not covered by state law, he wrote, were “collateral consequences.”

More than 20 lawsuits in Florida, Maine, New Hampshire, Massachusetts, New York and Vermont were consolidated into one case before Hornby. The judge’s decision tosses all complaints except one, from a Vermont woman who was not reimbursed for fraudulent charges.

The plaintiffs were critical of the way Hannaford handled the case. They say Hannaford learned on Feb. 27, 2008, that its system had been compromised and that Hannaford understood nature of the breach on March 8, but there was no public disclosure until March 17.

Hannaford was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.

Even though it met industry standards, Hannaford has reviewed its procedures and taken additional steps to ensure there’s no repeat of the data breach, said Mike Norton, a spokesman at Hannaford’s headquarters in Scarborough, outside Portland.

“We haven’t had an experience like this in our history and we really believe we have the right procedures in place so that it doesn’t happen again,” Norton said Wednesday.

Hannaford and Sweetwater, along with Food Lion, are owned by Belgian supermarket chain Delhaize America. Food Lion was not affected by the data breach.

Was this article valuable?

Here are more articles you may enjoy.