A strong majority of courts across the United States, both federal and state, have taken a common stance when it comes to addressing data breaches related to customer financial information (i.e. name, address, social security number, credit card numbers, etc.). They have stated that the plaintiff’s who have had their personally identifiable information (or "PII") breached as a result of an unauthorized release, do have the proper "standing" (i.e. does the plaintiff have a claim capable of being redressed?) to be in court. However, most court’s refuse to allow the plaintiff’s to clear the next hurdle – what sort of "damages" has the plaintiff experienced as a result of the unauthorized release? (see Lalli v. Starbucks case). Statistics support a court’s refusal to allow a class action case to go forward. The Ponemon Institute says that only about 7% of consumers, in a financial-related data breach, experience some sort of actual damage, and monies set up in class action settlement funds rarely are claimed, mostly because the consumer/victim cannot show they meet the criteria for getting a claim of the award (i.e. see Veteran’s Administration Class Action Settlement).
Now, in a follow up to a class action case that I’ve been following, a federal judge in Maine has asked the state’s Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach. The case of In re Hannaford Bros. dealt with a data intrusion where 4.2 million credit and debit cards were stolen from the East Coast grocery store giant. In May, U.S. District Court Judge Brock Hornby threw out almost all of the civil claims against Hannaford stating that consumers who experience no fraudulent charges posted to their financial accounts are unable to recover damages under Maine Law. In reversing his May decision, Judge Hornby states that the Maine court should be allowed time to determine whether such damages constitutes a cognizable injury under state law. A favorable ruling by the Maine Supreme Court could help consumers clear the "damages" hurdle, and move towards the more substantive issue of data breaches – namely, what is the standard of care for safeguarding data?
(An article by Jaikumar Vijayan, of Computerworld, was used as a reference for writing this entry)