holding purchase of identity theft insurance in such circumstances reasonable in negligence contextSummary of this case from Katz v. Pershing, LLC
Nos. 10–2384 10–2450.
Peter L. Murray, with whom Thomas C. Newman, Nicole L. Bradick, Murray, Plumb & Murray, Lewis Saul, and Lewis Saul Associates were on brief, for appellants/cross-appellees.Clifford H. Ruprecht, with whom William J. Kayatta, Jr., Catherine R. Connors, Joshua D. Dunlap, and Pierce Atwood LLP were on brief, for appellees/cross-appellant.
Peter L. Murray, with whom Thomas C. Newman, Nicole L. Bradick, Murray, Plumb & Murray, Lewis Saul, and Lewis Saul Associates were on brief, for appellants/cross-appellees.Clifford H. Ruprecht, with whom William J. Kayatta, Jr., Catherine R. Connors, Joshua D. Dunlap, and Pierce Atwood LLP were on brief, for appellees/cross-appellant.
LYNCH, Chief Judge.
Plaintiffs appeal from the dismissal of their Maine state law claims arising out of the unauthorized use of their credit and debit card data after hackers breached the electronic payment processing system of defendant Hannaford Brothers Co., where plaintiffs had shopped for groceries and used those cards.
The district court determined that plaintiffs failed to state a claim under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach. Although the district court concluded that the plaintiffs adequately alleged breach of implied contract, negligence, and violation of the unfair practices portion of the Maine
Unfair Trade Practices Act (UTPA), the district court dismissed those claims because it determined the plaintiffs' alleged injuries were too unforeseeable and speculative to be cognizable under Maine law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F.Supp.2d 108 (D.Me.2009).
We affirm in part and reverse in part. We affirm the district court's dismissal of all claims other than the plaintiffs' negligence and implied contract claims. We reverse the district court's dismissal of the plaintiffs' negligence and implied contract claims as to certain categories of alleged damages because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law.
The facts as alleged by plaintiffs in their consolidated putative class action complaint are as follows.
Hannaford is a national grocery chain whose electronic payment processing system was breached by hackers as early as December 7, 2007. The hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes, but did not steal customer names. On February 27, 2008, Visa Inc. notified Hannaford that Hannaford's system had been breached. Hannaford discovered the means of access on March 8, 2008, and contained the breach on March 10, 2008. Hannaford gave notice to certain financial institutions on March 10, 2008. On March 17, 2008, “Hannaford publicly announced for the first time that between December 7, 2007 and March 10, 2008, the security of its information technology systems had been breached, leading to the theft of as many as 4.2 million debit card and credit card numbers belonging to individuals who had made purchases at more than 270 of its stores.” It also announced “that it had already received reports of approximately 1,800 cases of fraud resulting from the theft of those numbers.” The unauthorized charges originated in locations across the globe, including New York, Spain, and France.
Defendants Hannaford and Kash N' Karry Food Stores, Inc. (Kash N' Karry) are wholly-owned subsidiaries of defendant Delhaize America, Inc. At the time of the breach, Hannaford provided electronic payment processing services to Kash N' Karry and to several independently owned stores. As provider of these services, Hannaford has agreed to assume the liability of Kash N' Karry, Delhaize, and any such independently owned stores. We refer to all of these entities as Hannaford.
The putative class period is from December 7, 2007 to March 10, 2008.
Following Hannaford's announcement, some financial institutions immediately cancelled customers' debit and credit cards and issued new cards, while others did not do so, telling the cardholder they wished to wait for evidence of unauthorized activity before taking action. Further, as alleged in the complaint, “financial institutions who did not immediately cancel customers' cards monitored customer accounts for unusual activity and cancelled cards immediately upon being aware of apparent fraudulent charges or attempts to make apparently fraudulent charges, in many cases, without the knowledge of the customer.” Additional “customers suffered unauthorized charges to their debit card and credit card accounts.” Moreover, “customers who requested that their cards be cancelled were required to pay fees to issuing banks for replacement cards” and “customers purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.”
The Judicial Panel on Multidistrict Litigation consolidated twenty-six separate suits against Hannaford arising out of the breach into one lawsuit in the District of Maine. The consolidated complaint alleged that at least fourteen of the named plaintiffs actually had unauthorized charges charged against their accounts. Seventeen of the named plaintiffs had their cards cancelled by the bank, and two named plaintiffs requested that their issuers give them replacement cards.
The plaintiffs alleged seven causes of action: (1) breach of implied contract; (2) breach of implied warranty; (3) breach of duty of a confidential relationship; (4) failure to advise customers of the theft of their data; (5) strict liability; (6) negligence; and (7) violation of the Maine UTPA. Plaintiffs sought damages as well as injunctive relief in the form of credit monitoring and notification of precisely what information was stolen. Hannaford moved to dismiss all claims, and the parties agreed that Maine law would govern the dispute.
Plaintiffs allege that Hannaford customers, including the plaintiffs, experienced more than the 1,800 unauthorized charges to their accounts which were known to Hannaford when it made its announcement on March 17. Plaintiffs also plead that they experienced several categories of losses said to be compensable damages for those plaintiffs who incurred them, including the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. In addition, they claim damages for the purchase of identity theft/card protection insurance and credit monitoring services.
In a carefully reasoned opinion, the district court granted Hannaford's motion to dismiss as to twenty of the twenty-one named plaintiffs. In re Hannaford, 613 F.Supp.2d 108 (D.Me.2009). The district court dismissed four of the plaintiffs' seven claims—breach of warranty, breach of fiduciary duty, failure to notify, and strict liability—after concluding that the plaintiffs had not alleged facts stating a basis for these claims under Maine law. The district court allowed the implied contract, negligence, and UTPA claims to proceed.
The district court held that plaintiff Pamela LaMotte could proceed beyond the pleading stage because she was the only plaintiff to allege unreimbursed fraudulent charges to her account. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F.Supp.2d 108, 133 (D.Me.2009). Shortly after the district court's opinion, however, LaMotte notified the court that her bank had reimbursed all unauthorized charges to her account. Because she no longer suffered any direct financial loss, the district court determined that her claim could no longer proceed. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 199 (D.Me.2009).
For these three surviving claims, the district court concluded that dismissal depended on whether the plaintiffs' alleged injuries as pled were cognizable under Maine law. Id. at 131. To make this determination, the district court divided the plaintiffs into three categories. Id. at 131–35. The district court determined that the first category, composed of plaintiffs who did not have fraudulent charges posted to their accounts, could not recover because their claims for emotional distress are not cognizable under Maine law. Id. at 131–33. The district court concluded that the second category, composed of the single plaintiff whose fraudulent charges
had not been reimbursed, could recover for her actual financial losses. Id. at 133.
As to the third category, composed of plaintiffs whose fraudulent charges had been reimbursed, the district court determined that their alleged consequential losses were “too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a ‘substantial injury’).” Id. at 134. In particular, the district court explained, the claimed overdraft fees, loss of accumulated reward points, and loss of opportunities to earn reward points were not foreseeable at the time of sale. Id. at 134–35. Further, the district court determined that there was no way to value or compensate the time and effort that consumers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen. Id. As a result, the district court determined that this third category of plaintiffs could not recover.
Finally, the district court denied the plaintiffs' requested injunctive relief because the named plaintiffs had already cancelled their compromised cards. Id. at 135.
The plaintiffs moved to certify four questions: (1) whether an implied contractual term can be limited to reasonable care; (2) whether the use of credit and debit cards in merchant transactions creates a fiduciary duty; and whether time and effort alone constitute (3) cognizable injury under the common law; or (4) a substantial injury under the Maine UTPA. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 660 F.Supp.2d 94, 98 (D.Me.2009). Hannaford asked the district court to certify a fifth question regarding the scope of the economic loss doctrine. Id. at 99. The district court concluded that Maine law was clear as to the first, second, and fourth questions, but not as to the third or fifth questions. Id.
(1) In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?
(2) If the answer to question # 1 is yes under a negligence claim and no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purely economic harm absent personal injury, physical harm to property, or misrepresentation? In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D.Me.2009). The Law Court accepted the certification and answered the first question in the negative, agreeing with the district court that time and effort alone do not constitute a cognizable harm under Maine Law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 498 (Me.2010). Observing that “[l]iability in negligence ... ordinarily requires proof of personal injury or property damage,” the Law Court declined to expand Maine negligence law by recognizing time and effort alone as a harm. Id. at 496. Similarly, the Law Court noted that “[n]ot every consequence of a breach of contract is a cognizable injury” and that contract damages are generally more restricted than compensatory damages for tort. Id. at 497. Accordingly, the Law Court concluded that time and effort alone do not represent a cognizable injury recoverable in implied contract. Id. Having answered the first question in the negative, the Law
Court found it unnecessary to address the second question. Id. at 498.
In light of the Law Court's opinion, the district court ordered the parties to show cause why judgment should not be entered in favor of Hannaford on all claims. The parties offered no response and the district court entered judgment in favor of Hannaford.
Plaintiffs have appealed the district court's decision regarding the fiduciary duty, breach of implied contract, negligence, and Maine UTPA claims. Hannaford has cross-appealed from the district court's determinations that the plaintiffs had adequately pled a basis for an implied contract of reasonable care apart from any tort duty, and that a private remedy under the Maine UTPA might lie even absent a loss resulting from the purchase of a consumer good or service.
We review de novo the grant of a motion to dismiss, “accepting as true all well-pleaded facts, analyzing those facts in the light most hospitable to the plaintiff's theory, and drawing all reasonable inferences for the plaintiff.” United States ex rel. Hutcheson v. Blackstone Med., Inc., 647 F.3d 377, 383 (1st Cir.2011). To survive a motion to dismiss, a complaint must “set forth ‘factual allegations, either direct or inferential, respecting each material element necessary to sustain recovery under some actionable legal theory.’ ” Gagliardi v. Sullivan, 513 F.3d 301, 305 (1st Cir.2008) (quoting Centro Medico del Turabo, Inc. v. Feliciano de Melecio, 406 F.3d 1, 6 (1st Cir.2005)).
A. Failure to State a Claim as to Theory of Cause of Action
1. Fiduciary/Confidential Relationship
Plaintiffs argue that Hannaford owed a fiduciary duty to protect their credit and debit card data, which it breached. Although plaintiffs concede that the basic grocery purchase transaction does not give rise to a fiduciary relationship, they argue that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information.
We agree with the district court that the plaintiffs' facts do not make out a confidential relationship with Hannaford and so Hannaford did not owe a fiduciary duty. To state a claim for fiduciary duty under Maine law, a plaintiff must: (1) allege “the actual placing of trust and confidence” in the defendant; (2) “show that there is some disparity in the bargaining positions of the parties;” and (3) show “that the dominant party has abused its position of trust.” Leighton v. Fleet Bank of Me., 634 A.2d 453, 457–58 (Me.1993). The plaintiffs' pleading fails to satisfy these three elements.
It is important to note for terminology purposes that under Maine law, a “fiduciary relationship is the same as a confidential relationship, which gives rise to the same duties.” Stewart v. Machias Sav. Bank, 762 A.2d 44, 46 n. 1 (Me.2000) (citing Ruebsamen v. Maddocks, 340 A.2d 31, 36 (Me.1975)).
First, the plaintiffs have not shown the “trust and confidence” contemplated by Maine confidential relationship cases. Under Maine law, a “fiduciary relationship has been described as ‘something approximating business agency, professional relationship, or family tie impelling or inducing the trusting party to relax the care and vigilance ordinarily exercised.’ ” Bryan R. v. Watchtower Bible & Tract Soc. of N.Y., Inc., 738 A.2d 839, 846 (Me.1999) (quoting
L.C. v. R.P., 563 N.W.2d 799, 801–02 (N.D.1997)). Accordingly, Maine decisions typically find a “placing of trust and confidence” in the context of family relationships, joint ventures, or partnerships. See, e.g., Ruebsamen v. Maddocks, 340 A.2d 31 (Me.1975) (family context); Wood v. White, 123 Me. 139, 122 A. 177 (1923) (joint venture context). The Maine courts have extended the rule to lender/borrower relationships, but only where one party has a relationship which has permitted it to take advantage of the other in order to use or acquire the other's assets. See Stewart v. Machias Sav. Bank, 762 A.2d 44 (Me.2000). The plaintiffs do not allege such a relationship here; there are no allegations that this relationship was anything other than an ordinary arms-length commercial transaction.
Second, the plaintiffs have not pled facts demonstrating disparate bargaining power between the plaintiffs and Hannaford. In the commercial context, the Maine Law Court has required an especially heightened disparity of power. The plaintiffs must allege “diminished emotional or physical capacity or ... the letting down of all guards and bars.” Stewart, 762 A.2d at 46 (omission in original) (quoting Diversified Foods, Inc. v. First Nat'l Bank of Bos., 605 A.2d 609, 615 (Me.1992)) (internal quotation marks omitted) (holding that a creditor-debtor relationship is not a confidential relationship without a showing of diminished capacity or special vulnerability). Here, the customer is free to use cash or checks, as well as credit or debit cards, to buy groceries. The customer is free to purchase groceries elsewhere. Indeed, plaintiffs fail to distinguish themselves from any other credit or debit card user in any commercial setting. See Bryan R., 738 A.2d at 847 (dismissing a claim for breach of fiduciary duty where, inter alia, plaintiff did not allege that his relationship with the defendant church was “distinct from [the defendant church's] relationships with any other members”).
Third, the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust. Under Maine law, breach of fiduciary duty claims typically require a showing that the dominant party used its position of trust to obtain something from the subordinate party, “acquiring rights in that [property] antagonistic to the person with whose interests he has become associated.” Wood, 122 A. at 179 (quoting Trice v. Comstock, 121 F. 620, 627 (8th Cir.1903)) (internal quotation mark omitted). As the district court noted, there is no suggestion in the complaint that Hannaford provided anything but a fair exchange in groceries in return for the customers' payments or somehow took advantage of the system of allowing customers to use cards. In re Hannaford, 613 F.Supp.2d at 123.
2. Implied Contract
Hannaford also argues that the implied contract claim must fail because it is redundant with the plaintiffs' claim for negligence. Hannaford did not make this argument to the district court, so it is waived. See Lamex Foods, Inc. v. Audeliz Lebrón Corp., 646 F.3d 100, 112 n. 15 (1st Cir.2011). Even so, the argument fails on its own terms. Hannaford's argument depends on an analogy to the medical malpractice context, in which Maine courts have held implied contract claims to be redundant with claims for negligence. See Johnson v. Carleton, 765 A.2d 571 (Me.2001); Woolley v. Henderson, 418 A.2d 1123 (Me.1980). In so holding, however, these courts have explained that the rule is particular to the medical malpractice context, where “[r]ecognizing the continued vitality of implied contract as an independent cause of action would be fundamentally inconsistent with the modern view that malpractice actions should be predicated on a single basis of liability—deviation from the professional standard of care.” Johnson, 765 A.2d at 573 n. 3 (quoting Woolley, 418 A.2d at 1135) (internal quotation mark omitted). These courts have reasoned that implied contract is “inadequa[te] ... as a comprehensive liability base in malpractice actions,” Woolley, 418 A.2d at 1135, because a duty “exists though there is clearly no contractual relationship between the patient and the physician,” id. at 1134 (quoting Kozan v. Comstock, 270 F.2d 839, 845 (5th Cir.1959)). In this case, by contrast, the relationship between Hannaford and its customers was born of a commercial transaction, which imposed contractual obligations separate and apart from the ordinary duty of reasonable care.
express words, but, in addition, all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and the circumstances under which it was made.” Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484 (Me.1996) (quoting Top of the Track Assocs. v. Lewiston Raceways, Inc., 654 A.2d 1293, 1295 (Me.1995)). The existence of such an implied contract term is determined by the jury, which considers whether the term is indispensable to effectuate the intention of the parties.
The district court correctly concluded that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people's purchases, would not sell the data to others, and would take reasonable measures to protect the information. In re Hannaford, 613 F.Supp.2d at 119. When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.
3. Maine Unfair Trade Practices Act, Me.Rev.Stat. tit. 5, §§ 205–A to 214
The district court held that the plaintiffs' allegations stated a claim under the Maine UTPA that Hannaford's failure to disclose the data theft promptly, and possibly its failure to maintain reasonable security systems, was unfair and deceptive. Id. at 128–31. Nonetheless, the district court concluded that the claim failed because the plaintiffs did not allege substantial loss. Id. at 134. We agree that the plaintiffs' claim fails, but for different reasons.
Section 207 of the Maine UTPA, entitled “Unlawful Acts and Conduct,” provides that “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful.” Me.Rev.Stat. tit. 5, § 207. Under the statute, in defining whether a practice is unlawful, the Maine legislature directed that guidance be sought from the interpretations of the Federal Trade Commission Act (FTCA). Id. § 207(1) (“It is the intent of the Legislature that in construing this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 45(a)(1) of the Federal Trade Commission Act (15 U.S.C. § 45(a)(1)), as from time to time amended.”).
The Maine courts have looked generally to the FTCA to determine whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Further, “[i]n determining whether an act or practice is unfair,” Maine courts “consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” Id. (quoting 15 U.S.C. § 45(n)) (internal quotation marks omitted).
The Maine UTPA provides for two different enforcement mechanisms: enforcement by the state's Attorney General, Me.Rev.Stat. tit. 5, § 209, and a private cause of action, id. § 213. The Attorney General may seek injunctive relief and may also seek civil penalties for violation of the injunction, including restoration to private individuals of any ascertainable loss. Id. § 209. The issue here concerns the limits for private causes of action.
Section 213, entitled “Private Remedies,” as amended in 1991, provides a private cause of action under the statute:
Any person who purchases or leases goods, services or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 207 or by any rule or regulation issued under section 207, subsection 2 may bring an action either in the Superior Court or District Court for actual damages, restitution and for such other equitable relief, including an injunction, as the court determines to be necessary and proper. Id. § 213(1).
The text requires that the plaintiff suffer a loss of money or property as a result of the unlawful act. By virtue of a 1991 amendment, damages may be awarded, as well as restitutionary relief. By its literal terms, section 213 does not itself impose a substantial loss requirement, but the Maine Law Court has so interpreted the statute when considering section 207 in conjunction with section 213. See McKinnon v. Honeywell Int'l, Inc., 977 A.2d 420, 427 (Me.2009) (“[A] plaintiff [must] suffer ‘loss of money or property’ before bringing a private action to recover ... [and] the injury suffered must be substantial.”).
Given our disposition, we do not reach Hannaford's argument on cross-appeal that there is an absence of loss resulting from the purchase of goods or services.
The parties actively dispute whether plaintiffs' claims, viewed individually, make out substantial injury, or whether, given the nature of the event, plaintiffs' claims of harm may be viewed as a collective whole as to substantial injury. In Tungate v. MacLean–Stevens Studios, Inc., the Law Court said that “[t]he substantial injury requirement is designed to weed out ‘trivial or merely speculative harms.’ ” 714 A.2d 792, 797 (Me.1998) (quoting Legg v. Castruccio, 100 Md.App. 748, 642 A.2d 906, 917 (1994)) (holding that a $1.25 commission on a $7.00 product did not rise to the level of substantial injury for purposes of establishing a violation under section 207). We do not view the subject matter of this suit as “trivial” or “merely speculative.” We see no case in Maine sufficiently like this one to give us clear guidance on this question and are reluctant to venture where the Maine courts have not.
What is clear is that the Maine courts have consistently read the private right of action provision of the UTPA narrowly.
See, e.g., McKinnon, 977 A.2d at 427 (interpreting the provision's requirement that plaintiffs suffer “loss of money or property” to mean “substantial” loss); Bartner v. Carter, 405 A.2d 194, 202–03 (Me.1979) (rejecting a “broad” definition of “restitution” in favor of a narrower “technical” definition); see also Hoglund ex rel. Johnson v. DiamlerChrysler Corp., 102 F.Supp.2d 30, 31 (D.Me.2000) (“Historically, however, the Law Court has interpreted the UTPA's private remedial provision narrowly.”). This is one purpose of the substantial injury requirement. See McKinnon, 977 A.2d at 427 (“The substantial injury requirement is a limitation on the use of the UTPA for a private cause of action.”). This narrow application of the private right of action section is consistent with the Maine legislature's choice of statutory language, which is narrower than that of other states. E.g., compare Me.Rev.Stat. tit. 5, § 213(1) (restricting the private right of action to a “person who purchases or leases goods, services or property”), with Mass. Gen. Laws ch. 93A, § 9(1) (allowing “[a]ny person ... who has been injured” to bring a private action even if that person is not a consumer and not otherwise in privity with the purchaser).
In the seminal case interpreting the private right of action provision of the Maine UTPA, the Law Court in Bartner v. Carter pointed out that “[i]n a private suit, the requirement of loss to the plaintiff consumer resulting from defendant's wrongful act unavoidably limits” both the scope of section 207 and the use of the FTCA and its interpretation. 405 A.2d at 201. The court commented that the Maine legislature was concerned about the possible coercive and improper use of the private cause of action, and that was one rationale for the narrowing. Id. at 201–02.
Pertinently, the court also pointed out, in discussing the restrictions on recovery in private actions under section 213, that “[c]ommon law actions for negligence and breach of warranty are available in appropriate cases for non-restitutionary damages in situations where personal injuries or damages to property have occurred.” Id. at 203.
It seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence, or other theories. In Searles, the Law Court was explicit that public policy considerations factor into interpretation of the UTPA. See 878 A.2d at 519 n. 10. As this opinion holds elsewhere, most of plaintiffs' damages claims fail for those reasons. As to the recoverable amounts for mitigation of damages under negligence and implied contract, we see no reason why Maine law would not consider those recoveries under those theories sufficient.
We recognize that attorney's fees are available under the Maine UTPA “[i]f the court finds, in any action commenced under [section 213] that there has been a violation of [section] 207.” Me.Rev.Stat. tit. 5, § 213(2); see also Beaulieu v. Dorsey, 562 A.2d 678 (Me.1989). But we are doubtful the Maine courts would extend these provisions of the UTPA on these facts simply to allow recovery of attorney's fees for mitigation costs. Even the attorney's fees provisions have been recognized as having limits. See Dudley v. Wyler, 647 A.2d 90, 92 (Me.1994) (denying attorney's fees where plaintiff established a violation of section 207 but failed to show the loss of money or property required to recover under section 213).
B. Failure to Allege Cognizable Injury
To summarize, plaintiffs' claims under the Maine UTPA and for a breach of fiduciary relationship fail, but plaintiffs have adequately alleged at least theories of negligence and breach of implied contract. That a general theory of recovery has been adequately pled does not, though, resolve the next question of whether the particular types of damages alleged are recoverable under those theories. We draw a distinction for our analysis among plaintiffs' various claims of damages between those which are best characterized as mitigation costs and those which are not.
1. Mitigation Damages: Card Replacement Costs and Credit Insurance
Under Maine negligence law, damages must be both reasonably foreseeable, and, even if reasonably foreseeable, of the type which Maine has not barred for policy reasons. Generally, under Maine law, “the fundamental test [for both tort and contract recovery] is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability.” Horton & McGehee, Maine Civil Remedies § 4–3(b)(3) (4th ed. 2004). But liability in negligence also “ordinarily requires proof of personal injury or property damage.” In re Hannaford, 4 A.3d at 496. The Maine Law Court has explained that although reasonable foreseeability “may set tolerable limits for most types of physical harm, it provides virtually no limit on liability for nonphysical harm.” Cameron v. Pepin, 610 A.2d 279, 283 (Me.1992) (emphasis omitted) (quoting Thing v. La Chusa, 48 Cal.3d 644, 257 Cal.Rptr. 865, 771 P.2d 814, 826 (1989)) (internal quotation mark omitted). In cases of nonphysical harm, Maine courts limit recovery by considering not only reasonable foreseeability, but also relevant policy considerations such as “societal expectations regarding behavior and individual responsibility in allocating risks and costs.” Alexander v. Mitchell, 930 A.2d 1016, 1020 (Me.2007).
Maine courts have weighed these considerations in the context of mitigation costs and determined that a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate,” regardless of whether the harm is nonphysical. In re Hannaford, 4 A.3d at 496. The Maine Law Court has expressly said so both in its response to the certified questions and in its decision to apply the Restatement (Second) of Torts § 919. The Restatement (Second) of Torts § 919 provides that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” Id. § 919(1). It is clear that, as a matter of policy, Maine law “encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant's negligence.” In re Hannaford, 4 A.3d at 496. To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended. Id. at 496–97.
Maine has interpreted this “reasonableness” requirement for mitigation, judging whether the decision to mitigate was reasonable “at the time it was made.” Marchesseault v. Jackson, 611 A.2d 95, 99 (Me.1992). In Marchesseault, the plaintiff brought a claim for breach of contract after the defendant built a faulty foundation for the plaintiff's house. The court allowed as mitigation costs expenditures made in an unsuccessful effort to remedy
the major defects in the foundation rather than destroy the foundation and have it rebuilt. Plaintiff recovered those damages because his efforts to mitigate, while unsuccessful, were a reasonable attempt to avoid further loss. Id.
There is not a great deal of Maine law on the subject. And the Law Court's decision on the certified question appears to be the first time the Maine courts have applied § 919 of the Restatement. So we turn to the decisions of other courts under the Restatement, which provide guidance for Maine. See, e.g., Marchesseault, 611 A.2d 95 at 99 (turning to other jurisdictions for guidance in deciding whether to allow recovery of unsuccessful repair costs as mitigation damages under the Restatement (Second) of Contracts); Marois v. Paper Converting Mach. Co., 539 A.2d 621, 623–24 (Me.1988) (“Decisions of other courts, however, do interpret the Restatement [ (Second) of Torts] and are helpful in the development of our own law.”). Other courts' decisions applying § 919 are helpful to plaintiffs' claims. These courts award mitigation costs even when it is not certain at the time that these costs are needed, when mitigation costs are sought but other damages are unavailable, and when mitigation costs exceed the amount of actual damages.
The Seventh Circuit, for example, has held that under Restatement § 919 incidental costs expended in good faith to mitigate harm are recoverable—even if the costs turn out to exceed the savings. See Toledo Peoria & W. Ry. v. Metro Waste Sys., Inc., 59 F.3d 637 (7th Cir.1995) (applying Illinois law). In Toledo, the plaintiff sued to recover for damages sustained to several of its locomotive engines. As to one of the engines, the plaintiff sought to recover both the replacement value of the engine and the cost of attempted repairs, which later turned out to be unsuccessful. The court held it was error to have excluded evidence of the cost of the attempted repairs and allowed the plaintiff full recovery because “[a]ny other result would effectively penalize [the plaintiff] for fulfilling its obligation under Illinois law to minimize its damages.” Id. at 641.
In Kelleher v. Marvin Lumber & Cedar Co., 152 N.H. 813, 891 A.2d 477 (2005), the New Hampshire Supreme Court, applying Restatement § 919, held that a plaintiff who found rot damage in a number of his property's windows could recover for the cost of replacing those windows in order to prevent water leakage and other damage to the property. The court allowed the plaintiff to recover the cost of the new windows as reasonable mitigation damages notwithstanding the court's determination that recovery for the rotting windows themselves was barred by the economic loss doctrine. Id. at 496–97.
The Fourth Circuit has noted, applying Restatement § 919, that plaintiffs should not face “a Hobson's choice” between allowing further damage to occur or mitigating the damage at their own expense. Toll Bros., Inc. v. Dryvit Sys., Inc., 432 F.3d 564, 570 (4th Cir.2005) (applying Connecticut law). In Toll, a real estate developer removed and replaced defective stucco from homes that it built, and sued the stucco manufacturer in negligence to recover its costs. The court concluded that, as a matter of policy, a plaintiff may recover the cost of its reasonable attempts to mitigate, even if the injury is “wholly financial” in nature. Id.
In Fogel v. Zell, 221 F.3d 955 (7th Cir.2000), the court, applying Illinois law, determined that under Restatement § 919 a city which had installed a defectively manufactured sewer pipe “would have been entitled by the doctrine of mitigation of damages to remove the pipe or take other
prophylactic or reparative measures, and to seek restitution of the expense of doing so from [the manufacturer], provided the expense was prudent in the circumstances.” Id. at 960–61.
In a Massachusetts case, Automated Donut Systems, Inc. v. Consolidated Rail Corp., 12 Mass.App.Ct. 326, 424 N.E.2d 265 (1981), the court applied Restatement § 919 to hold that a shipper could recover the cost of reasonable, but unsuccessful, efforts to repair goods damaged by a railway carrier because allowing recovery would effectuate a policy of encouraging injured parties to avoid loss. Id. at 270–71.
The question then becomes whether plaintiffs' mitigation steps were reasonable. This is a contextual question, depending on the facts. Like the district court, we will view all facts in the light most favorable to the plaintiffs.
This case involves a large-scale criminal operation conducted over three months and the deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their financial advantage. Unlike the cases cited by Hannaford, this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft, and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers' accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.
Further, there is no suggestion there was any way to sort through to predict whose accounts would be used to ring up improper charges. By the time Hannaford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.
That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those banks thought the cards would be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment. That other financial institutions did not replace cards immediately does not make it unreasonable for cardholders to take steps to protect themselves.
It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data. It is true that
Under the Truth in Lending Act, 15 U.S.C. § 1643, and the Electronic Fund Transfer Act, 15 U.S.C. § 1693g, cardholders are liable for up to $50 in unauthorized charges, with the exception that under the Electronic Fund Transfer Act, a cardholder can be liable for up to $500 if the holder fails to report the fraud within two days.
It may be, as Hannaford suggests, that major card brands have instituted contractual zero-liability protection, with the result that customers are not liable for any amount of a fraudulent charge. But at the motion to dismiss stage, we cannot say that customers face no risk of even a $50 liability from unauthorized use. Nor is Hannaford's argument directly relevant: it does not change the fact that in these circumstances it is entirely reasonable for customers to attempt to mitigate harm to themselves.
the only plaintiffs to allege having to pay a replacement card fee, Cyndi Fear and Thomas Fear, do not allege that they experienced any unauthorized charges to their account, but the test for mitigation is not hindsight. Similarly, it was foreseeable that a customer who had experienced unauthorized charges to her account, such as plaintiff Lori Valburn, would reasonably purchase insurance to protect against the consequences of data misuse.
Hannaford argues that because the plaintiffs allege no loss of personally identifying information, plaintiff Lori Valburn had no reasonable basis for purchasing “identity theft” insurance. The plaintiffs explain that “[a]lthough it was labeled ‘identity theft insurance,’ the product purchased by Ms. Valburn from Discover Card protected her against the consequences of misuse of the data that had been stolen including the losses and disruptions documented in the Complaint.” At the motion to dismiss stage, we draw all reasonable inferences in favor of the plaintiff, including the inference that the product purchased by plaintiff Valburn protected her against misuse of her stolen debit and credit card data.
Hannaford opposes this conclusion and cites several cases from other jurisdictions holding, on the facts before them, that the costs of credit monitoring services and identity theft insurance are not cognizable injuries in negligence claims. All of these cases are distinguishable on their facts.
Hannaford also argues that allowing recovery for prophylactic measures such as identity theft insurance would provide incentives for the unnecessary purchase of such products. As we have discussed, however, such recovery is bounded by the principle of reasonableness; recovery is allowable only if the decision to purchase such a product was a reasonable effort to mitigate under the circumstances. See Marchesseault v. Jackson, 611 A.2d 95, 99 (Me.1992). For example, where neither the plaintiff nor those similarly situated have experienced fraudulent charges resulting from a theft or loss of data, the purchase of credit monitoring services may be unreasonable and not recoverable. Cf. Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 639–40 (7th Cir.2007). By contrast, such insurance may be reasonable in circumstances like those here.
Most of the cases involved theft of expensive computer equipment, rather than a sophisticated breach of electronic data. See Ruiz v. Gap, Inc., 622 F.Supp.2d 908 (N.D.Cal.2009); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y.2008); Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C.2007). In contrast with the facts here, the plaintiffs in those cases not only failed to allege “that plaintiff[s] or any member[s] of the putative class [had] been the victim[s] of identity fraud or theft,” Caudle, 580 F.Supp.2d at 277, but also failed to allege “that the person stealing the [computer or] hard drive was motivated by a desire to access the data and had the capabilities to do so,” id. at 282. These courts reasoned that because “there [was] no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it [was] used for unlawful purposes[,] ... any injury of Plaintiff[s] [was] purely speculative.” Kahle, 486 F.Supp.2d at 712–13. Here, by contrast, the thieves were sophisticated; they targeted Hannaford's data directly; and they used that data to ring up thousands of charges to customer accounts, including the accounts of many of the plaintiffs.
Another of the cases involved a computer hard drive that was inadvertently lost. See Melancon v. La. Office of Student Fin. Assistance, 567 F.Supp.2d 873 (E.D.La.2008). In Melancon, unlike the present
case, it was “undisputed that no personal data [had] been compromised and Plaintiffs [had] failed to offer evidence that any third party [had] gained access to the data.” Id. at 877. Because the case did not involve actual theft or misuse, the court held that the plaintiffs did not have a reasonable basis for purchasing credit monitoring services and could not claim those costs as cognizable damages.
Several other courts, in cases not cited by Hannaford, have likewise concluded that where data is simply lost or misplaced rather than stolen, and no known misuse has occurred, plaintiffs may not recover damages including credit monitoring costs. See McLoughlin v. People's United Bank, Inc., No. 3:08–cv–00944(VLB), 2009 WL 2843269 (D.Conn. Aug. 31, 2009); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397(CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Shafran v. Harley–Davidson, Inc., No. 07 Civ. 01365(GBD), 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008). In McLoughlin, for example, “there [was] no allegation as to the fate of the missing box of tapes. They could have been inadvertently discarded or destroyed, or they could be collecting dust in some forgotten warehouse.” 2009 WL 2843269 at *7. “It is only through speculation,” the court explained, “that one concludes that [the lost tapes] are in possession of an individual who is driven to maliciously mine the tapes for the personal data that they contain. Accordingly, this is not a ‘risk of injury’ case but rather a speculation as to a possible risk of injury.” Id. The court concluded that because the plaintiffs' “claim [was] founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft,” the plaintiffs could not recover. Id. at *8. Here, by contrast, thieves accessed and misused the data, resulting in thousands of fraudulent charges to Hannaford customers, including plaintiffs.
Only two of Hannaford's cited cases involve a breach in which thieves accessed the plaintiffs' data held by defendants. See Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir.2007) (hackers breached a bank website and stole the personal and financial data of tens of thousands of the bank's customers); Hendricks v. DSW Shoe Warehouse Inc., 444 F.Supp.2d 775, 777 (W.D.Mich.2006) (hackers accessed “the numbers and names associated with approximately 1,438,281 credit and debit cards and 96,385 checking account numbers and drivers' license numbers” that were on file with a national shoe retailer). But even in those cases, the plaintiffs failed to allege “that they or any other member of the putative class already had been the victim of identity theft as a result of the breach.” Pisciotta, 499 F.3d at 632; see also Hendricks, 444 F.Supp.2d at 779. These courts reasoned that in the absence of unauthorized charges as to the plaintiffs or those similarly situated, the plaintiffs there lacked a reasonable basis for fearing there would be unauthorized charges to their accounts as a result of the theft. That very reasoning suggests that these courts would reach a different result if the plaintiffs alleged that they had suffered fraudulent charges to their accounts. Here, plaintiff Valburn purchased theft insurance only after learning of an unauthorized $500 cash withdrawal from her account and speaking with the fraud unit at Discover Card. Knowing her personal data had been breached and misused, and knowing the thieves were sophisticated and had rung up thousands of unauthorized charges, plaintiff Valburn had a reasonable basis for purchasing identity theft insurance to avoid further damage.
Hannaford also argues that even if these damages are cognizable in negligence, they are not cognizable in contract. In support of this argument, Hannaford cites the Maine Law Court's statement, in its answer to the certified questions, that “contract damages are more restricted than compensatory damages for a tort.” In re Hannaford, 4 A.3d at 497. While true, that statement is inapplicable here. As explained by the Law Court and the body of precedent on which it relied, contract
damages are more restricted in that they disallow “recovery of damages for mental or emotional distress suffered solely as the result of a breach of contract,” even if foreseeable. Rubin v. Matthews Int'l Corp., 503 A.2d 694, 696 (Me.1986); see also Stull v. First Am. Title Ins. Co., 745 A.2d 975, 981 (Me.2000); Marquis v. Farm Family Mut. Ins. Co., 628 A.2d 644, 651 (Me.1993). Plaintiffs' claims for identity theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse. Under Maine contract law, these financial losses are recoverable as mitigation damages so long as they are reasonable. See, e.g., Marchesseault, 611 A.2d at 99; Restatement (Second) of Contracts § 350 & cmt. h (“[C]osts incurred in a reasonable but unsuccessful effort to avoid loss are recoverable.”).
2. Remaining Damages Claims
General principles of recovery in both contract and tort, which are not applicable to the mitigation damages we have discussed, do bar the plaintiffs' remaining claims. The district court correctly concluded that the plaintiffs' claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization changes were not recoverable. These injuries were too attenuated from the data breach because they were incurred as a result of third parties' unpredictable responses to the cancellation of plaintiffs' credit or debit cards. See Stubbs v. Bartlett, 478 A.2d 690 (Me.1984) (concluding that a wife's loss of medical insurance was too attenuated an injury where it arose from a car accident that caused her husband to lose his job and his employer-provided medical insurance). We doubt that under Maine law it is reasonably foreseeable that an issuing bank would deny a cardholder's entitlement to accumulated points when the card has merely been replaced with a new one. Nor, under Maine law, is it reasonably foreseeable that pre-authorization arrangements, which are usually in the merchant's interest and are accordingly free-of-charge to set up, would involve change fees in the event of a credit or debit card replacement. Moreover, we do not think Maine, as a policy matter, would find such damages compensable.
We reject the plaintiffs' argument that the question of foreseeability vel non should have gone to the jury and the district court had no role to play. The district court was correct to consider initially foreseeability as a question of law. In addressing the certified questions, the Law Court indicated that some harms are too far attenuated as a matter of law to constitute cognizable injury in Maine. See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 496–97 (Me.2010). Indeed, the plaintiffs later acknowledge as much when they argue that “[o]nly if it is clear that no reasonable jury could find that the specific element of consequential damages was or should have been foreseeable ... can the court step in and rule out a particular element of loss as unforeseeable as a matter of law.”
We conclude that the two forms of mitigation damages we have discussed are cognizable under Maine law and we reverse the district court's dismissal of the plaintiffs' negligence and implied contract claims as to those damages. We affirm the district court's dismissal of the remaining claims. So ordered. No costs are awarded.