Opinion
BCP-CV-K
03-14-2012
Local Counsel for Plaintiff: Bernard Kubetz, Esq., Eaton Peabody. Out of State Counsel for Plaintiff: Joseph DeBelder, Esq., Henrichsen Siegel, PLLC. Defense Counsel: Clifford Ruprecht, Eq., Nolan Reichl, Esq., Pierce Atwood, Merrills Wharf.
Local Counsel for Plaintiff: Bernard Kubetz, Esq., Eaton Peabody.
Out of State Counsel for Plaintiff: Joseph DeBelder, Esq., Henrichsen Siegel, PLLC.
Defense Counsel: Clifford Ruprecht, Eq., Nolan Reichl, Esq., Pierce Atwood, Merrills Wharf.
John C. Nivison Justice.
Pursuant to M.R. App. P. 24(c), Defendant Hannaford Brothers Co. (Hannaford) moves to report two issues to the Law Court:
Can a plaintiff recover purely economic losses in negligence when the plaintiff has suffered no physical harm to person or property?
Must an issuing bank's negligent misrepresentation claim against a merchant in a data breach case fail as a matter of law when the only representation alleged is the mere acceptance of an electronic payment card?(M. Report 1.) Hannaford seeks a report following the Court's October 27, 2011, summary judgment order (hereinafter, "Order") in which the Court 1) declined to adopt the economic loss doctrine, allowing Plaintiff Digital Federal Credit Union's (DFCU) negligence claim to proceed; and 2) concluded that issues of material fact precluded the entry of judgment on DFCU's negligent misrepresentation claim. (Order 11-12.)
Although the Court did not adopt or apply the economic loss doctrine, the Court determined that the summary judgment record generated an issue as to whether Hannaford owed a duty as alleged by DFCU.
DFCU alleges that Hannaford
had a duty to exercise reasonable care in the handling and safeguarding of cardholder information when it engaged in the card transactions with their customer and their banks. This duty included reasonable care in gathering and maintaining the information to prevent unauthorized access, possession, and/or misuse of the information.(Amend. Compl. ¶ 30.) Because the parties had not directly addressed the duty issue, after the Court issued the order on Hannaford's motion for summary judgment, the Court requested that the parties brief the issue of whether Hannaford owed DFCU a duty of care.
For the purposes of summary judgment motion only, the parties presumed that Hannaford was negligent in allowing customers' data information to be accessed by unauthorized third parties.
The Court requested briefing on the duty issue prior to oral argument on the motion to report. The Court allowed subsequent briefing on the particular policy considerations implicated by the duty advocated by DFCU.
Duty of Care
Duty "involves the question of whether the defendant is under any obligation for the benefit of the particular plaintiff." Searles v. Trs. of St. Joseph's Coll., 1997 ME 128, ¶ 5, 695 A.2d 1206 (quotation marks omitted). "In a tort analysis, the duty is always the same - to conform to the legal standard of reasonable conduct in the light of the apparent risk." Alexander v. Mitchell, 2007 ME 108, ¶ 15, 930 A.2d 1016 (quotation marks omitted). Both the existence of a duty of care and the scope of that duty are questions of law. See id. ¶
14.
Duty initially focuses on the foreseeability of risk. "The common-law test of duty is the probability or foreseeability of injury to the plaintiff. The risk reasonably to be perceived within the range of apprehension delineates the duty to be performed and the scope thereof." Fortin v. Roman Catholic Bishop of Portland, 2005 ME 57, ¶ 75, 871 A.2d 1208 (quoting Brewer v. Roosevelt Motor Lodge, 295 A.2d 647, 651 (Me. 1972)).
[A] court's task—in determining "duty"—is not to decide whether a particular plaintiffs injury was reasonably foreseeable in light of a particular defendant's conduct, but rather to evaluate more generally whether the category of negligent conduct at issue is sufficiently likely to result in the kind of harm experienced that liability may appropriately be imposed on the negligent party.Cameron v. Pepin, 610 A.2d 279, 282 (Me. 1992) (quoting Thing v. La Chusa, 771 P.2d 814, 819 n.3(Cal. 1989)).
Foreseeability, however, is not the only inquiry. See Cameron, 610 A.2d at 282. The determination of whether a duty exists also requires a balancing of relevant policy considerations. See Flanders v. Cooper, 1998 ME 28, ¶ 4, 706 A.2d 589. When faced with a party arguing for recognition of a new duty of care, the Law Court has explained that "[i]n the decision of whether or not there is a duty, many factors interplay: the hand of history, our ideals of morals and justice, the convenience of administration of the rule, and social ideas as to where the loss should fall." Trusiani v. Cumberland & York Distribs., Inc., 538 A.2d 258, 261 (Me. 1988) (quoting William Prosser, Palsgraf Revisited, 52 MICH. L. Rev. 1, 15 (1953)). "In the end the court will decide whether there is a duty on the basis of the mores of the community always keeping in mind the fact that we endeavor to make a rule in each case that will be practical and in keeping with the general understanding of mankind." Id.
The pleadings and the summary judgment record establish that DFCU is a foreseeable plaintiff insofar as DFCU's loss as an issuing bank is a foreseeable consequence of a data security breach by a merchant such as Hannaford. In this case, therefore, the Court must examine the pertinent policy considerations to determine whether a legal duty should be imposed.
DFCU, relying on Sovereign Bank v. BJ's Wholesale Club, Inc., 395 F.Supp.2d 183 (M.D. Pa. 2005), argues that the nature of the risk involved and foreseeability of the harm, together with the public interest in holding parties responsible for their negligent conduct, weigh in favor of recognizing a duty in this case. DFCU asserts that the Court's failure to recognize a duty would result in a reduction of security measures for cardholders' data because a rational merchant, without concern for the risk of loss, would not incur the cost of providing adequate security for cardholder data. When a party creates a cognizable risk of harm, DFCU argues, it is both fair and socially efficient to assign liability for the harm that reasonable precautions could have avoided. See People Express Airlines, Inc. v. Consol. Rail Corp., 495 A.2d 107, 117-18 (NJ. 1985). DFCU maintains, therefore, that the imposition of liability upon Hannaford for harm resulting from its lack of security precautions is fair because Hannaford is in the best position to prevent the theft of the cardholder data. See Sovereign Bank, 395 F.Supp.2d at 194.
Hannaford counters that the Court should not recognize a tort duty under the circumstances of this case in part because the Visa system, of which DFCU is a member, has created a contractual scheme designed to mitigate losses resulting from data theft: Account Data Compromise Recovery, or ADCR. (See Supp. S.M.F. ¶¶ 22-33; Opp. S.M.F. ¶¶ 22-33.) According to Hannaford, the allocation of risk contemplated by the participants in the system should not be supplemented with a tort remedy because the consensual, interrelated, contractual remedy is a more just and efficient distribution of loss among sophisticated parties. Hannaford maintains that the creation of a tort remedy for issuing banks against merchants for a data security breach would fundamentally alter the parties' contractual relationships, and that the recognition of a duty of care would impose potential liability on merchants out of proportion to fault given that DFCU's proposed duty would apply equally to small merchants and large enterprises. Hannaford also argues that because legislative bodies are better suited than courts to gather information and weigh the competing interests of relevant stakeholders, courts should defer to legislative bodies to assess all the considerations of shifting economic losses between and among parties. See Barber Lines A/S v. M/V Donau Maru, 764 F.2d 50, 55 (1st Cir. 1985) (Breyer, J.).
The parties present compelling arguments for the Court's consideration. In essence, DFCU asks the Court to impose an extra-contractual duty upon merchants to issuing banks participating in the Visa system. While Hannaford's position arguably immunizes culpable parties from the losses that it and other merchants might cause for certain parties, DFCU's position would impose potentially boundless liability in tort and would likely fundamentally restructure everyday consumer transactions.
Both parties have consistently provided the Court with cogent arguments, written and oral, on the various legal issues presented in the case.
The Court is mindful of the fact that the Law Court understandably scrutinizes and is somewhat reticent to recognize new common law duties of care, see Estate of Cilley v. Lane, 2009 ME 133, ¶¶ 19-21, 985 A.2d 481, particularly when there is no direct relationship between the parties, see Alexander v. Mitchell, 2007 ME 108, ¶ 31, 930 A.2d 1016; Flanders, 1998 ME 28, ¶ 14, 706 A.2d 589; Trusiani, 538 A.2d at 262-63. Consistent with this view, as explained further below, the Court concludes that the relevant policy considerations militate against the imposition of a duty upon a merchant for the benefit of an issuing bank for data security breach under the circumstances of this case.
First, DFCU and other issuing banks agreed to the terms of the Visa system, presumably with full knowledge of the terms of the agreement, including the way in which the risk of loss was allocated among the various participants. (See Supp. S.M.F. ¶¶ 1-4, 22-33; Opp. S.M.F. ¶¶ 1-4, 22-33.) DFCU thus chose to manage the risk that it assumed, including the risk of a potential breach of merchants' security systems, pursuant to the terms of the Visa agreement and other contractual arrangements. Indeed, DFCU's alleged loss in this case is predicated on a contractual arrangement with its cardholders to hold the cardholders harmless for fraudulent transactions. (A.S.M.F. ¶ 17; Reply S.M.F. ¶ 17.) The nature and extent of the contractual arrangements that govern each Visa transaction strongly suggest that the contractual obligations of the parties to those contracts should govern, and that the imposition of a duty in tort is unnecessary and potentially inconsistent with the terms of the parties' agreements. Moreover, the Court is not persuaded by DFCU's argument that by not recognizing a duty in this case, the Court would provide merchants with a disincentive to adopt adequate security measures to protect cardholders' data. Merchants have many reasons, including consumer confidence and potential liability directly to consumers for any breach, to protect cardholders' data.
In addition, because the scope of the duty urged by DFCU covers a number of situations not presented to the Court in this case (e.g., theft of cardholder data by merchants' employees, internet sales by merchants in Maine), the Court finds merit to the argument that the Legislature is better suited to assess the various policy considerations that are relevant to the allocation of responsibility between issuing banks and merchants for losses resulting from a data security breach. See Barber Lines A/S, 764 F.2d at 55. In Maine, although the Legislature has mandated that individuals and business entities that maintain computerized data of personalized information must provide notice to Maine's residents of a security breach that results in the possible misuse of that personalized information, see 10 M.R.S. § 1348 (2011), to date, the Legislature has not imposed a duty upon merchants for the benefit of issuing banks. Cf. Estate of Cilley, 2009 ME 133, ¶ 19, 985 A.2d 481 (rejecting the creation of a new duty of care in a case where the Legislature had declined to adopt criminal sanctions for the same activity).
The Court is also reluctant to recognize a duty of care with potentially unlimited liability for merchants that honor major credit cards, regardless of the size of the merchants' businesses. See Trusiani, 538 A.2d at 261.
For the reasons articulated above, therefore, the Court declines to recognize the duty of care asserted by DFCU.
The Court recognizes that some of the same policy considerations might support extension of the economic loss doctrine to the circumstances of this case. The Court also acknowledges that the issue of duty and the principles of the economic loss doctrine are in many ways intertwined. Accordingly, one could argue that the Court has in essence applied the economic loss doctrine in this case. By focusing on the issue of duty, however, the Court's decision is limited to the facts of this case, is consistent with the Law Court's duty analysis, and does not apply the doctrine to circumstances beyond those discussed by the Law Court in Oceanside at Pine Point Condominium Owners Association v. Peachtree Doors, Inc., 659 A.2d 267 (Me. 1995).
Motion to Report
Because the Court has determined that Hannaford does not owe DFCU a duty of care as alleged, the portion of the motion to report related to DFCU's negligence claim is moot, see Halfway House v. City of Portland, 670 A.2d 1377, 1379-1380 (Me. 1996), and the only issue remaining in Hannaford's motion relates to negligent misrepresentation. M.R. App. P. 24(c) provides that
If the trial court is of the opinion that question of law involved in an interlocutory order or ruling made by it ought to be determined by the Law Court before any further proceedings are taken, it may on motion of the aggrieved party report the case to the Law Court for that purpose and stay all further proceedings except such as necessary to preserve the rights of the parties without making any decision.
A motion to report an interlocutory ruling is also subject to the requirements of a motion to report by agreement: sufficient importance and doubt. See M.R. App. P. 24(a), (b); Toussaint v. Perreault, 388 A.2d 918, 920 (Me. 1978); 3A Harvey, Maine Civil Practice § A24:4 at 194 (3d ed. 2011). Questions involving novel issues of law or upon which there is no statutory guidance may meet the requirements for importance and doubt. See Liberty Ins. Underwriters, Inc. v. Estate of Faulkner, 2008 ME 149, ¶ 7, 957 A.2d 94; Guardianship of LH., 2003 ME 130, ¶ 7, 834 A.2d 922. When there is "no serious dispute on the legal issue" or when an interlocutory ruling "involve[s] only the resolution of a factual dispute between litigants, " however, a motion to report is inappropriate. Toussaint, 388 A.2d at 920. Further, issues that can be resolved utilizing well-established rules of law are equally inappropriate for report. See Depres v. Moyer, 2003 ME 41, ¶ 14, 827 A.2d 61.
Unlike M.R. App. P. 24(a) and (b), a report pursuant to M.R. App. P. 24(c) does not mandate that the answer to the reported question by the Law Court will fully dispose of the action, although whether it will is a relevant consideration. See Meiners v. Aetna Cas. & Sur. Co., 663 A.2d 6, 8 (Me. 1995); 3A Harvey, Maine Civil Practice § A24:4 at 194. Other considerations include whether "the question raised on report is an issue that might not have to be decided at all because of other possible dispositions, " see State v. DiPeitro, 2009 ME 12, ¶ 11, 964 A.2d 636, and whether the factual record is adequately developed such that the Law Court can make a decision on the report, see 3A Harvey, Maine Civil Practice § A24:4 at 193. Finally, the court must be convinced that the interests of justice and particularly the just, speedy and inexpensive determination of the action will be served by the interlocutory determination. See M.R. Civ. P. 1; Meiners, 663 A.2d at 7 (noting the parties argued the interlocutory report would save the expense of fully litigating the matter).
The tort of negligent misrepresentation, as adopted by the Law Court, is as follows:
One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.Restatement (Second) OF Torts § 552(1) (1977); accord Chapman v. Rideout, 568 A.2d 829, 830 (Me. 1990) (adopting section 552(1) of the RESTATEMENT (SECOND) OFTORTS). The Court denied summary judgment to Hannaford on DFCU's negligent misrepresentation claim because the record presented issues of material fact on the "exact nature an extent of any representations made to DFCU" and "regarding DFCU's reliance on any representations made by Hannaford and whether that reliance was reasonable." (Order 12.) The relationship between Hannaford and DFCU may be novel in negligent misrepresentation claims, but the legal principles are well established. In addition, the issues of material fact that precluded summary judgment on this claim weigh against reporting because in the Court's view the factual record is not adequately developed. The Court is confident that when presented with a factually developed record, the Court and/or a jury will be able to apply the facts to the established principles of negligent misrepresentation.
Conclusion
Based on the foregoing analysis, the Court orders as follows:
1. The Court denies Hannaford's motion to report.
2. The Court enters judgment on Count I of Plaintiff Digital Federal Credit Union's Complaint in favor of Hannaford.
Pursuant to M.R. Civ. P. 79(a), the Clerk shall incorporate this Decision and Order into the docket by reference.