Summary
holding that reimbursed charges cannot sustain an injury in tort or contract
Summary of this case from In re SuperValu, Inc.Opinion
MDL Docket No. 2:08-MD-1954.
May 12, 2009.
Peter L. Murray, Esq., Murray, Plumb Murray, Lewis J. Saul, Lewis Saul Associates, Portland, ME, for Plaintiffs.
Clifford Ruprecht, John K. Hatch, Gavin G. McCarthy, Pierce Atwood LLP, Portland, ME, Cynthia L. May, Peter W. Zinobel', Greenberg Traurig LLP, Tampa, FL, Michael A. Oakes, Richard L. Wyatt, Jr., Akin Gump Strauss Hauer Feld LLP, Washington, DC, for Defendants.
DECISION AND ORDER ON DEFENDANT HANNAFORD BROS. CO.'S MOTION TO DISMISS
A customer uses a credit card or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer then recover from the grocer any loss resulting from the third-party data theft? That is the question this case poses.
The consumer plaintiffs see electronic payment systems as a technological development that, in addition to convenience, has created great risk of fraud to consumers, "increas[ing] exponentially the risk that consumers will be victimized by fraudulent misuse of their account access information." According to them, "the financial chaos and disruption of personal affairs that will churn in the wake of a massive theft of confidential credit and debit card access information is readily foreseeable, indeed, almost inevitable." The plaintiffs say that "[t]he law must step in to protect persons impacted by the actions of others over whom they have no effective control. This is certainly the case with credit card customers versus merchants and financial institutions."
Pls.' Opp'n to Def.'s Mot. to Dismiss with Incorporated Mem. at 3, 42, 44 (Docket Item 63).
The defendant grocer, Hannaford Bros. Co. ("Hannaford"), on the other hand, sees a well-functioning financial payment system that depends upon complex contractual relationships among the participants. These participants are consumers, merchants, organizations that create the card brands, banks that issue the cards to the consumers, and banks that accept the card transactions presented to them by the merchants. Hannaford points to consumer protections that law and contract already provide, and lists "numerous reasons why the institutional competencies of the judiciary are not well-suited to supplementing the protection given by legislation and private rule." Hannaford urges that "courts should not step in" and "may work mischief for all by altering the balance of interests set by agreement." Hannaford believes that any consumer recourse should lie only against the banks that issue the cards and post the transactions to the consumers' accounts, not against merchants like Hannaford.
Def.'s Mot. to Dismiss with Incorporated Mem. at 2-3 (Docket Item 46).
For example, Hannaford refers to the Electronic Fund Transfer Act, which limits a consumer's liability for fraudulent debit card transactions to no more than $50 (or, if the consumer fails to notify his bank "within two business days after the consumer learns of the loss or theft," no more than $500). 15 U.S.C § 1693g(a). (A similar $50 limit applies to fraudulent credit card transactions. Id. § 1643.) Hannaford also refers to protection afforded by private rules contractually provided to customers of credit card associations ( e.g., Visa, MasterCard, Discover). Def.'s Mot. to Dismiss with Incorporated Mem. at 4. The plaintiffs argue that I may not consider the private rules and contracts on a motion to dismiss, because they "do not qualify as 'legislative facts' or otherwise meet the standard for being subject to judicial notice." Pls.' Opp'n to Def.'s Mot. to Dismiss at 7. I do not resolve that evidentiary dispute, because I conclude that these "facts" are unnecessary to my analysis.
Def.'s Mot. to Dismiss with Incorporated Mem. at 43.
Id. at 41-42.
Id. at 42.
For those wanting a definitive answer to this question of who should bear the risk of data theft in electronic payment systems, my ruling will be unsatisfactory. In this case, the answer depends wholly on state law, and the state law is still undeveloped. My role as a federal judge is simply to apply state law, not extend it, retract it, or modify it through broad strokes so as to accommodate the complex financial arrangements and risks that the parties portray.
See Douglas v. York County, 433 F.3d 143, 149 (1st Cir. 2005) ("It is not our role to expand [state] law; that is left to the courts of [the state]."); Insolia v. Philip Morris, Inc., 216 F.3d 596, 607 (7th Cir. 2000) ("Federal courts are loathe to fiddle around with state law. Though district courts may try to determine how the state courts would rule on an unclear area of state law, district courts are encouraged to dismiss actions based on novel state law claims.").
My answer to the liability question between customer and grocer is this: Under Maine law as I understand it, when a merchant is negligent in handling a customer's electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer's account, the merchant is liable for that loss. In the circumstances of this case, there may also be liability under Maine's Unfair Trade Practices Act ("UTPA") for an unfair or deceptive trade practice. But if the merchant is not negligent, or if the negligence does not produce that completed direct financial loss and instead causes only collateral consequences — for example, the customer's fear that a fraudulent transaction might happen in the future, the consumer's expenditure of time and effort to protect the account, lost opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships — then the merchant is not liable.
5 M.R.S.A. § 205-A, et seq.
Such a claim is significant primarily because the Act allows a successful plaintiff to recover attorney fees from the defendant.Id. § 213(2).
I rule here on Hannaford's motion to dismiss the plaintiffs' consolidated complaint for failure to state a claim upon which relief may be granted. Fed.R.Civ.P. 12(b)(6). I heard oral argument April 1, 2009. For purposes of the motion, I must assume that all that the plaintiffs say in their consolidated complaint is true, because Hannaford's contention is that even if it all is true, the plaintiffs are entitled to no relief from or against Hannaford. Hannaford's motion is GRANTED IN PART AND DENIED IN PART.
Fitzgerald v. Barnstable Sch. Comm., 129 S. Ct. 788, 792 (2009).
FACTS
The plaintiffs have been customers at Hannaford, at Sweetbay supermarkets in Florida owned by Hannaford, and at independent stores where Hannaford provides electronic payment processing services. "[I]n the course of making purchases at these stores, . . . [they] made use of debit cards and credit cards issued by financial institutions to access their bank accounts or create credit relationships." They say that Hannaford "provided electronic payment services," but failed "to maintain the security of private and confidential financial and personal information of . . . credit and debit card customers" at supermarkets in Maine, Vermont, New Hampshire, New York, Massachusetts, and Florida.The plaintiffs say that, beginning December 7, 2007, third-party "wrongdoers obtained access to [Hannaford's] information technology systems and, until containment of this security breach on or about March 10, 2008, stole private and confidential debit card and credit card information, including up to an estimated 4.2 million debit card and credit card numbers, expiration dates, security codes, PIN numbers and other information belonging to [the] [p]laintiffs and other customers . . . who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by [Hannaford]." The plaintiffs do not claim that wrongdoers acquired customer names from Hannaford. They say that credit card association Visa, Inc. notified Hannaford on February 27, 2008, that Hannaford's information technology system had been breached, and that Hannaford discovered the means of access on March 8, 2008, contained it and notified certain financial institutions on March 10, 2008, but made no public disclosure until March 17, 2008, and even then, made an inadequate disclosure.
Id. ¶ 5.
See id. ¶¶ 30-31.
Id. ¶ 25.
Id. ¶ 26.
Id. ¶ 27.
Id. ¶ 28.
Id. ¶ 31.
"As a result of this breach of security," the plaintiffs claim that they incurred the following damages: (i) customers' "debit cards and credit cards were exposed and subjected to unauthorized charges;" (ii) their "bank accounts were overdrawn and credit limits exceeded;" (iii) they "were deprived of the use of their cards and access to their funds;" (iv) they "lost accumulated miles and points toward bonus awards and were unable to earn points during the interval their cards were inactivated;" (v) those customers "who requested their cards be cancelled were required to pay fees to issuing banks for replacement cards;" (vi) those customers "who had registered their cards with online sellers were required to cancel and change their registered numbers;" (vii) their "preauthorized charge relationships were disrupted;" (viii) they "expend[ed] time, energy and expense to address and resolve these financial disruptions and mitigate the consequences;" (ix) they "suffered emotional distress;" (x) their "credit and debit card information is at an increased risk of theft and unauthorized use;" and (xi) some customers "purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences."
Id. ¶¶ 6, 34.
The plaintiffs have sued Hannaford for damages for those losses and for injunctive relief. In addition to damages, they want me to order Hannaford to provide credit monitoring to all affected customers and notify each of them "exactly what private and confidential financial and personal information of each Class member was exposed to theft and was, in fact, stolen."
Id. Prayer for Relief.
ANALYSIS
(1) Jurisdiction
The plaintiffs want to bring this lawsuit as a class action. They assert federal jurisdiction under the Class Action Fairness Act of 2005 ("CAFA"), 28 U.S.C. § 1332(d). To satisfy that statute, they allege that at least one plaintiff has citizenship different from the defendant Hannaford, that there are more than 100 class members, and that the amount in controversy exceeds $5 million. Hannaford has not contested federal jurisdiction.(2) Choice of Law
As a result of a Multi-District Litigation Judicial Panel Transfer Order, this lawsuit consists of cases from Florida, Maine, New Hampshire, Massachusetts, New York and Vermont. It is an interesting question which state's or states' laws should apply to grocery transactions occurring in these six different states. (No party contends that federal law governs.) According to the Consolidated Complaint, Hannaford is incorporated and headquartered in Maine. It provided the electronic payment processing services for all the transactions — those at its own named stores throughout Maine, New Hampshire, Massachusetts, New York and Vermont, those in Florida at its sister corporation Kash 'N Karry (Sweetbay)'s stores, and those at certain independently owned stores in various states. Upon reading the parties' legal memoranda, I had expected that I might have to differentiate among state laws according to where the transaction in question occurred; state laws vary significantly on some of the issues I discuss in this opinion. Moreover, both sides went to great lengths to reconcile various lower court decisions from a number of states. But at oral argument the parties agreed that Maine law alone should control the outcome of the defendant's 12(b)(6) motion. I therefore make my ruling based solely upon Maine law.
See Transfer Order (Docket Item 1).
Consolidated Compl. ¶ 10.
Id. ¶¶ 13-14. Both Hannaford and Kash 'N Karry are wholly-owned subsidiaries of Delhaize America, Inc., a Delaware corporation with its principal place of business in North Carolina. Id. ¶ 12. Kash 'N Karry is a Delaware corporation that does business under the name "Sweetbay." Id. ¶ 11.
For example, Hannaford says that collectively these out-of-state cases show that only identity theft, not data theft, results in recovery, Def.'s Mot. to Dismiss at 9, and that there is not "a single reported case that has recognized [the remedy the plaintiffs seek]," id. at 1. The plaintiffs, on the other hand, say that consumers survived motions to dismiss " in every single case" where "stolen account and personal information actually was misused." Pls.' Opp'n to Def.'s Mot. to Dismiss at 2, 13 (emphasis in original). The cases that the parties cite are almost all lower court cases, they deal with other states' laws, and their scope is uncertain. The law is in flux for this recent technology, and these out-of-state cases do not control my decision and ultimately are only modestly helpful.
Mot. to Dismiss Oral Arg. Tr. 13:15-19, 43:2-14, Apr. 1, 2009 (Docket Item 76). Counsel for the plaintiffs cautioned that Maine's Unfair Trade Practices Act ("UTPA") may have territorial limits such that it might not apply outside of Maine. Id. 43:15-44:9. However, the plaintiffs have not sought recovery under any other state's statute. Id. 44:9.
(3) The Plaintiffs' Claims in the Consolidated Complaint
In their quest to make Hannaford pay them money and provide credit monitoring and specific disclosure of what was stolen, the plaintiffs have asserted seven different bases under Maine law: I. Breach of implied contract; II. Breach of implied warranty; III. Breach of duty of a confidential relationship; IV. Failure to advise customers of the theft of their data; V. Strict liability; VI. Negligence; and VII. a violation of the Maine Unfair Trade Practices Act, 5 M.R.S.A. § 205-A, et seq. I consider each claim separately, using Maine Law Court precedents and Maine statutory language where available. (A) Count I. Breach of Implied Contract
Both sides agree that at the point of sale — the cash register — there is a contract for the sale of groceries. The consumer buys the groceries and, in exchange, pays the merchant for them. That is a contract for the sale of goods under Article 2 of Maine's Uniform Commercial Code, 11 M.R.S.A. § 2-101, et seq. But the parties disagree over what that contract says about the terms of the payment relationship when the consumer swipes a card through the merchant's card-reading terminal instead of tendering cash. The plaintiffs assert that the merchant and consumer implicitly agree at the point of sale that the merchant will guaranty the consumer's electronic data against all intrusion. Hannaford argues that there is no such agreement. I accept neither argument in its entirety.
See Def.'s Mot. to Dismiss at 24, 30; Consolidated Compl. ¶ 19.
Consolidated Compl. ¶¶ 4, 68-71.
Mot. to Dismiss Oral Arg. Tr. 25:9-29:25.
In this claim, the plaintiffs do not allege that there is any explicit agreement between consumer and merchant about Hannaford's electronic payment processing system, a position that seems consistent with cashier and customer behavior in grocery checkout lines. But Maine law is clear that a contract can have unarticulated implied terms:
This is in contrast to the plaintiffs' claim under Maine's UTPA. See Consolidated Compl. ¶ 105 (stating that Hannaford "represented expressly and by implication" that electronically accessed information would be kept secure and not exposed to theft). Even then, as I conclude in note 111, the plaintiffs have alleged no specific express Hannaford statements.
[A] contract includes not only the promises set forth in express words, but, in addition, all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and the circumstances under which it was made.
Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484 (1996) (quoting Top of the Track Assocs. v. Lewiston Raceways, Inc., 654 A.2d 1293, 1295 (Me. 1995)).
Whether a contract includes an implied term is a question of fact for the jury under Maine law. But for a jury to be able to find such a provision, it "must be absolutely necessary to effectuate the contract," and "indispensable to effectuate the intention of the parties." I apply those Maine legal principles to the facts that the consumer plaintiffs allege here.
See Seashore Performing Arts Ctr., 676 A.2d at 484; Top of the Track Assocs., 654 A.2d at 1296.
Seashore Performing Arts Ctr., 676 A.2d at 485.
Id. at 484.
A grocery sale contemplates that the consumer will give the grocer payment. That is part of the contract for the grocery transaction. For payment, a grocer may accept currency, coupons, checks, credit cards or debit cards. If the consumer presents a check, Article 3 of Maine's Uniform Commercial Code (Negotiable Instruments) imposes various obligations and expectations as a matter of law. If the consumer tenders cash or coupons, a jury could reasonably find that the merchant is entitled to expect the currency or coupons to be authentic, not counterfeit, as an implied term of the contract of sale, "absolutely necessary" to its effectuation.
"The obligation of the seller is to transfer and deliver and that of the buyer is to accept and pay in accordance with the contract." 11 M.R.S.A. § 2-301. "The price can be made payable in money or otherwise." Id. § 2-304(1). "Tender of payment is sufficient when made by any means or in any manner current in the ordinary course of business. . . ." Id. § 2-511(2).
Even food stamps have been replaced by Electronic Benefit Transfer ("EBT") cards. 7 U.S.C. § 2016(h).
11 M.R.S.A. § 3-1101 et seq.
The language of Seashore Performing Arts Center, 676 A.2d at 485.
If a consumer tenders a credit or debit card as payment, I conclude that a jury could find certain other implied terms in the grocery purchase contract: for example, that the merchant will not use the card data for other people's purchases, will not sell or give the data to others (except in completing the payment process), and will take reasonable measures to protect the information (which might include meeting industry standards), on the basis that these are implied commitments that are "absolutely necessary to effectuate the contract," and "indispensable to effectuate the intention of the parties." A jury could reasonably find that customers would not tender cards to merchants who undertook zero obligation to protect customers' electronic data. But in today's known world of sophisticated hackers, data theft, software glitches, and computer viruses, a jury could not reasonably find an implied merchant commitment against every intrusion under any circumstances whatsoever (consider, for example, an armed robber confronting the merchant's computer systems personnel at gunpoint). Thus, I conclude that a jury could not reasonably find that an unqualified guaranty of confidentiality by the merchant is "absolutely essential" to the contract for a sale of groceries (there is no reason to believe that consumers would cease using their cards in the absence of a 100% guaranty of data safety). I reach the same conclusion for the plaintiffs' other proposed implied contractual term, that Hannaford implicitly agreed "to notify them that the confidentiality of such information was compromised." Consumers might like to know that, but there is no basis for a jury to conclude that such a notification term is "indispensable to effectuate" their intentions, "absolutely necessary to effectuate the contract."
Id. at 484-85.
See Consolidated Compl. ¶ 68.
See Seashore Performing Arts Ctr., 676 A.2d at 484-85.
In short, I conclude that in a grocery transaction where a customer uses a debit or credit card, a jury could find that there is an implied contractual term that Hannaford will use reasonable care in its custody of the consumers' card data, the same level of care as the negligence tort standard I discuss later. (B) Count II. Breach of Implied Warranty
The plaintiffs contend that in accepting a credit card or debit card, Hannaford also warranted that its electronic payment processing system "was fit for its intended purpose, namely the safe and secure processing of credit and debit card payment transactions." They also allege that the system was in fact not fit, because it "allowed wrongdoers to steal customers' confidential personal and financial data," and that Hannaford therefore breached that implied warranty of fitness.
Consolidated Compl. ¶ 74.
Id. ¶ 75. Paragraph 24 of the Consolidated Complaint states that Hannaford's "technology system had multiple security shortfalls, including, but not limited to: i. lack of proper monitoring solutions; ii. failure to encrypt internal network traffic flowing between store and processor; iii. point-of-sales systems that were open to attack; iv. insecure wireless connections; and/or v. remote access deficiencies." Id. ¶ 24.
The Uniform Commercial Code, as adopted in Maine, provides:
Where the seller at the time of contracting has reason to know any particular purpose for which the goods are required and that the buyer is relying on the seller's skill or judgment to select or furnish suitable goods, there is . . . an implied warranty that the goods shall be fit for such purposes.
11 M.R.S.A. § 2-315.
That is what is known as an implied warranty of fitness for a particular purpose, and the plaintiffs refer to that warranty in their legal memorandum. But this UCC implied warranty cannot help these consumer plaintiffs because it applies to the goods sold, here, the groceries. The term "goods" does not include the payment mechanism.
Pls.' Opp'n to Def.'s Mot. to Dismiss at 22.
See 11 M.R.S.A. § 2-102 (Maine UCC "applies to transactions in goods").
"Goods" is a term defined as meaning "all things (including specially manufactured goods) which are movable at the time of identification to the contract for sale other than the money in which the price is to be paid." Id. § 2-105(1) (emphasis added). In the comments to this definition, the drafters make clear that "[g]oods is intended to cover the sale of money when money is being treated as a commodity but not to include it when money is the medium of payment." Id. § 2-105 cmt. 1 (emphasis added).
Moreover, the implied warranty that the consumer plaintiffs ask me to recognize in this case does not otherwise fit the warranty of fitness for a particular purpose. The UCC defines that warranty as involving transactions where the buyer has a "particular" purpose for the goods ( i.e., not the same purpose as all purchasers), and the seller has reason to be aware of that particular purpose and of the purchaser's reliance on the seller to select suitable goods accordingly. The Law Court says that to prevail on a claim for breach of the implied warranty of fitness for a particular purpose, the plaintiff must show that a "purchaser ha[s] a particular purpose outside the scope of ordinary purposes" of the goods. These consumer plaintiffs do not meet that standard. They are no different in their use of Hannaford's electronic payment system than all other grocery purchasers. They have no "particular" purpose. The plaintiffs concede as much, and argue instead that the statute provides an "analogue" on which a Maine court should draw in crafting a common law implied warranty to fit their situation. Hannaford asserts that no such common law warranty is available in this case.
Id. § 2-315.
Lorfano v. Dura Stone Steps, Inc., 569 A.2d 195, 197 (Me. 1990) (emphasis in original).
Pls.' Opp'n to Def.'s Mot. to Dismiss at 23 (citing the Maine UCC's "express warranties" provision).
According to the plaintiffs, under Maine's common law, "[i]mplied warranties of fitness for a particular purpose arise not only in connection with the sale of tangible personal property, but also in connection with arrangements for the use of personal property provided by one party for the mutual benefit of owner and user." They cite a 1927 pre-UCC Maine case, where one company rented to another company a "heater plant" so that the second company could use the heater plant in the process of laying hot asphalt. The Law Court said:
Id. at 22.
It is a general rule, which seems to be well established by the authorities, that, where a bailment for mutual benefit of a bailor and a bailee is one of hire, there is imposed on the bailor, in the absence of special contract or representation, an obligation that the thing or property hired for use shall be reasonably fit for the use or capable of the use known to be intended, that is, that it shall possess the quality usually belonging to things of that kind when used for the same purpose.
Gaffey v. Forgione Romano Co., 137 A. 218, 219 (Me. 1927).
That case, Gaffey v. Forgione Romano Co., was not a sale-of-goods case, but a "bailment" case, where the equipment was rented and taken away by the user. The general warranty of fitness (it was not fitness for a "particular" purpose) announced in Gaffey was based on the fact that the transaction was for mutual benefit and involved compensation ("one of hire"). Here, the overall grocery transaction is one of mutual benefit, involving compensation; retailers provide electronic payment mechanisms because, in the quest to encourage sales, it is to their advantage to make it easy for consumers to pay. But the customers do not pay extra for using plastic and electronic processing rather than cash.
The plaintiffs also cite a horse-leasing case, Leach v. French, 69 Me. 389 (1879), which said: "one who lets a horse impliedly undertakes that the animal shall be capable of performing the journey for which he is let." Id. Here, the electronic system did process the customers' payments.
One cannot tell from the Law Court's announced "general rule" in Gaffey whether it meant to limit that warranty of fitness to circumstances where the customer pays separately for use of the equipment and takes the equipment away (as in the conventional bailment that Gaffey described), or to extend it as well to customers using the equipment on the premises with or without a separate fee (compare the electronic payment processing here with use of equipment at a tanning salon or spa, or use of an ATM on or off premises). The parties have presented no further statement from the Law Court on this topic during the 80+ years since Gaffey. But in the analogous area of strict liability, it is clear that the general common law as it has developed in other jurisdictions would not apply to circumstances like these:
The Law Court in Gaffey also recognized exceptions to this implied warranty, including cases where the user/bailee "has seen or has had the opportunity of inspecting" the equipment. Gaffey, 137 A. at 219; accord Briggs v. Hunton, 32 A. 794, 795 (Me. 1895) (lease of a stallion's services for breeding carries no implied warranty where customer chooses stallion). On that basis, the company that used the heater plant in Gaffey actually lost its implied warranty claim. 137 A. at 219. I am doubtful that the Law Court would extend this exception to consumers (or that a customer gets to "inspect" the electronic payment system), but the parties have given me no cases pointing in either direction.
There is often very little (if any) difference between strict liability and implied warranty once we leave the UCC sale of goods provisions. See, e.g., Restatement (Third) of Torts: Products Liability § 2 cmt. n Reporters' Note to cmt. n (1998);see also Levondosky v. Marina Assocs., 731 F. Supp. 1210, 1212 (D.N.J. 1990) ("New Jersey has recognized that, as between an implied warranty theory and a strict liability theory, '[t]he governing principles are identic[al].'").
When products are made available as a convenience to customers who are on the defendant's premises primarily for different, although related purposes, and no separate charge is made, strict liability is not imposed. Thus, bowling alleys that supply bowling balls for customer use and markets that supply shopping carts are not subject to strict products liability for harm caused by defects in those items.
Restatement (Third) of Torts: Products Liability § 20 cmt. f.
Under these circumstances, I conclude that the Maine Law Court is unlikely to extend Maine law to apply an implied warranty of fitness to a grocer's electronic payment processing systems.
(C) Count III. Breach of Duty of a Confidential Relationship
The plaintiffs say that a customer and a merchant enter into a confidential relationship whenever a customer uses a credit card or debit card as payment. They maintain that this confidential relationship imposes extra, fiduciary-like obligations on the merchant, which require both a guaranty that the card data will remain sacrosanct, and full disclosure to customers of the nature of any security breach as soon as the merchant learns of the breach. Hannaford disagrees, saying that grocery sales with electronic debit or credit card payments are nothing but ordinary arm's length commercial transactions, with no special duties of care.
Consolidated Compl. ¶ 4.
Id. ¶¶ 78-83
Def.'s Mot. to Dismiss at 31.
Maine cases do recognize that "fiduciary or confidential relations 'are deemed to arise whenever two persons have come into such a relation that confidence is necessarily reposed by one and the influence which naturally grows out of that confidence is possessed by the other.'" In some circumstances, Maine law "would impose fiduciary duties upon the 'superior' party" arising out of such a relationship. To state such a claim, a plaintiff must (1) "allege 'the actual placing of trust and confidence'" in the other, and (2) "show that there is some disparity in the bargaining positions of the parties and [3] that the dominant party has abused its position of trust." Here, the plaintiffs allege that they placed "trust and confidence" in Hannaford in using their cards to pay for groceries, the first element, and that Hannaford "had the benefit of a disparity of position and control," the second element. For the third element, they seem to focus on what Hannaford did after learning of the intrusion: "Defendant abused its superior position in order to, among other things, avoid adverse effects to its business, maintain positive public relations, and retain Plaintiffs and Class members and other customers and entice them to continue shopping and making debit card and credit card transactions in its stores."
Leighton v. Fleet Bank of Me., 634 A.2d 453, 458 (Me. 1993);see also Ruebsamen v. Maddocks, 340 A.2d 31, 34-35 (Me. 1975);Wood v. White, 122 A. 177, 179 (Me. 1923).
Diversified Foods, Inc. v. First Nat'l Bank of Boston, 605 A.2d 609, 614-15 (Me. 1992).
Leighton, 634 A.2d at 457-58 (citing Ruebsamen, 340 A.2d at 34-35).
Consolidated Compl. ¶ 78.
Id. ¶ 79.
Id. ¶ 83.
I am doubtful, first, that the "trust and confidence" that the plaintiffs allege here is the type of trust and confidence contemplated by the Maine cases. Those cases deal with family relationships, joint ventures or partnerships, and lender/borrower relations where one party has taken advantage of another for purposes of acquiring or using the other's property or assets. There is no such relationship here.
See, e.g., Diversified Foods, Inc., 605 A.2d 609 (borrowers may state claim of relief where lender-bank takes almost complete control over bankrupt-debtor's business); Ruebsamen, 340 A.2d 31 (father and daughter may state claim against daughter's ex-husband); Wood, 122 A. 177 (parties to a joint business venture were in "confidential relation" in ownership of land).
I am also doubtful that the allegations about the third element, abuse of trust, meet the Maine standards, for in the Maine cases the superior party was generally obtaining the subordinate party's property unfairly, to keep for itself. There is no suggestion here that Hannaford failed to provide a fair exchange in groceries for the customers' payments.
The Maine cases typically involve disputes over property, which arise out of family relationships, joint ventures or partnerships, and lender/borrower relations that finance assets.See, e.g., Diversified Foods, Inc., 605 A.2d 609 (describing lender/borrower relations); Ruebsamen, 340 A.2d 31 (family relationship); Wood, 122 A. 177 (joint business venture). The "subordinate" party argues that the "dominant" party used undue influence and abused the trust of the subordinate party to take something from the subordinate party, acquiring rights in property "antagonistic to the person with whose interests he has become associated." Wood, 122 A. at 179; see also Diversified Foods, Inc., 605 A.2d at 615 (a bank/borrower case also discussing partnership and joint venture cases and saying, with respect to cases from other jurisdictions, that "the holdings in those cases were limited to factual situations in which the banks took almost complete control over the business [of the borrowers]"). In the Maine cases, usually the subordinate party is attempting to impose a constructive trust upon the property in question, not seeking damages. See, e.g., Ruebsamen, 340 A.2d at 37; Wood, 122 A. at 178 ("[F]raud or abuse of a confidential relation gives rise to a constructive trust"). A constructive trust simply recovers the lost property. Here, the plaintiffs are not seeking return of their property.
In any event, the plaintiffs cannot show that a grocery purchase relationship is characterized by a "disparity in the bargaining position of the parties" within the meaning of the Maine cases' second element. Hannaford does not have a monopoly on the sale of groceries and does not require the use of credit or debit cards; the customer is free to use cash to complete the transaction, or to shop at other grocers. And there is nothing about these particular consumer plaintiffs that distinguishes them from the mass of consumers who buy groceries and use plastic to do so. I see nothing in Maine law that suggests that an entire class, such as all people who use plastic to buy groceries, can fit this confidential relationship category, as distinguished from individuals who present particular fact patterns of a special relationship. In the merchant/consumer relationship of bank/borrower, for example, the Law Court ruled that a bank/borrower relationship did not qualify as a confidential relationship unless a party could "demonstrate 'diminished emotional or physical capacity or . . . the letting down of all guards and bars,'" simply not the case here. I conclude that the plaintiffs' allegations do not establish a confidential relationship under Maine law.
See Leighton, 634 A.2d at 457-58.
Ruebsamen requires that the "influence" the dominant party possesses "naturally grows out of [the] confidence" the subordinate party places in the other. 340 A.2d at 35. That is not an apt description of the consumer-merchant relationship.
See Bryan R. v. Watchtower Bible Tract Soc. of N.Y., Inc., 738 A.2d 839, 847 (Me. 1999), cert. denied 528 U.S. 1189 (2000) (complaint inadequate where it did not allege aspects of the church/member relationship "that were distinct from those of its relationships with any other members, adult or child, of the church").
E.g., Ruebsamen, 340 A.2d 31; Wood, 122 A. 177.
Stewart v. Machias Savings Bank, 762 A.2d 44, 46 (Me. 2000).Stewart distinguished an earlier bank/borrower case, Morris v. Resolution Trust Corp., 622 A.2d 708 (Me. 1993), because in the earlier case the particular bank loan officer was in a superior position due to his extensive prior experience with the problematic building contractor and his awareness of the contractor's financial state. Stewart, 762 A.2d at 47 n. 2. An earlier First Circuit case also required "a relationship going beyond the ordinary bank/customer situation." Reid v. Key Bank of S. Me., Inc., 821 F.2d 9, 17 (1st Cir. 1987) (applying Maine law).
I recognize that New York law seems to provide broader relief on a claim like this than does Maine law. See Caudle v. Towers, Perrin, Forster Crosby, Inc., 580 F. Supp. 2d 273, 280-83 (S.D.N.Y. 2008) (recognizing a New York cause of action for breach of fiduciary duty but denying the plaintiff's claim seeking recovery of the costs of credit monitoring and identity theft insurance, because the plaintiff lacked a basis for a serious concern over misuse of his personal information); Jones v. Commerce Bancorp, Inc., 2006 WL 1409492, at *3 (S.D.N.Y. May 23, 2006) (recognizing a breach of fiduciary duty claim and stating that the "plaintiff was entitled to rely on [the defendant]'s superior expertise to safeguard her personal confidential information"); Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 535 (N.Y.Sup.Ct. 2004) (stating that a confidential relationship claim, while "never before be[ing] applied to issues surrounding the protection of confidential personal information, perhaps in the absence of appropriate legislative action, . . . should").
(D) Count IV. Breach of a Duty to Advise Customers of the Theft of their Data
The plaintiffs present no Maine cases to show that Maine common law recognizes this claim — breach of a duty to advise customers of the theft of their data once it occurred — as a stand-alone claim. In response to my questions at oral argument, their lawyer argued that this is a claim of negligent misrepresentation by omission: that after learning of the data theft, Hannaford's failure to warn consumers thereafter was, in effect, a misrepresentation that the Hannaford data payment system was operating in a secure fashion. Although it is not clear from Count IV's allegations, the plaintiffs may be relying on their confidential relationship assertion here. The Maine cases do impose a duty to disclose when there is a confidential relationship between the parties. But I have already concluded that the plaintiffs cannot support their confidential relationship assertion. Without that special relationship, there is no Maine claim for failure to disclose, unless there is an active concealment of the truth, not the case here. In the absence of a confidential relationship, therefore, this claim cannot proceed.
Mot. to Dismiss Oral Arg. Tr. 44:14-46:2.
E.g., Glynn v. Atl. Seaboard Corp., 728 A.2d 117 (Me. 1999) ("omission by silence"); Barnes v. Zappia, 658 A.2d 1086, 1089 (Me. 1995) (either affirmative misrepresentation or a confidential or fiduciary relationship in the case of silence); Jack H. Simmons, et al., Maine Tort Law §§ 11.03, 11.04 (2004).
Brae Asset Fund, L.P. v. Adam, 661 A.2d 1137 (Me. 1995);Stevens v. Bouchard, 532 A.2d 1028, 1030 (Me. 1987).
Kezer v. Mark Stimson Assocs., 742 A.2d 898, 905 (Me. 1999);Harkness v. Fitzgerald, 701 A.2d 370, 372 (Me. 1997); Fitzgerald v. Gamester, 658 A.2d 1065, 1069 (Me. 1995); Tobin v. Casco N. Bank, N.A., 663 A.2d 1, 2 (Me. 1995); H.E.P. Dev. Group, Inc. v. Nelson, 606 A.2d 774, 775 (Me. 1992).
Neither party cited Brown v. Crown Equipment Corp., 960 A.2d 1188 (Me. 2008). There, the Law Court recognized a manufacturer's "post-sale duty to warn" and recognized a cause of action for negligence against a manufacturer for failing to disclose defects in its product, defects that it learned about only after it had sold the product (there a forklift whose operator was killed while using it). In the absence of argument, I make no decision on whether that case has any bearing on the claims asserted here.
Moreover, Maine has a statute, the "Notice of Risk to Personal Data Act," which details the scope of merchants' obligations to notify customers of data theft. They must do so "as expediently as possible and without unreasonable delay," but there are qualifications: "consistent with the legitimate needs of law enforcement . . . or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system." The plaintiffs have not claimed that Hannaford breached this statute (and the statute does not recognize any private recovery for its breach). Although the statute does not "affect or prevent" other remedies that may be available under state or federal law, its detailed standards certainly give me reason to be wary of creating any new state standards where the Maine Law Court has not already clearly provided a remedy.
10 M.R.S.A. § 1348(1).
Id. § 1349(1) (allowing only the Department of Professional Financial Regulation and Attorney General to enforce it).
Id. § 1349(3).
(E) Count V. Strict Liability
The consumer plaintiffs argue that Hannaford should be held "strictly liable for the loss and damage [they] suffered," because "[i]ncreasing reliance on electronic means of payment and other recording of personal identity and financial data has left consumers increasingly susceptible to personal data and identity theft, the adverse consequences of which also are of increasing severity." The plaintiffs assert that "[s]afeguarding private and confidential data of [consumers] . . . is solely within the control of [Hannaford] . . ., who [is] best able to distribute the cost of maintaining the security of that data and the consequences of the breach of such security," and that this public policy argument favors judicial imposition of strict liability on Hannaford. Hannaford disagrees and warns against judicial intervention of this sort.
Consolidated Compl. ¶ 98.
Id. ¶ 94.
Id. ¶ 95.
See Pls.' Opp'n to Def.'s Mot. to Dismiss at 32-33.
Def.'s Mot. to Dismiss at 42-45.
The history of strict liability — liability imposed on a defendant despite its exercise of all reasonable care — can be traced to Fletcher v. Rylands, 1 L.R.-Ex. 265 (Ex. Ch. 1866), a nineteenth century English case that dispensed with proof of negligence as a prerequisite to liability for "non-natural" or potentially "mischievous" activities. In Maine, the Legislature has enacted a statute that imposes strict liability for the sale of defective goods. But apart from the statute, the Law Court traditionally has limited the scope of the Fletcher principle, suggesting that common law strict liability applies, if at all, only to extra-hazardous activities. The Restatement (Second) of Torts endorses the imposition of strict liability for "abnormally dangerous" activities, where there is "high degree of risk" of "great" harm that cannot be eliminated "by the exercise of reasonable care." Common law also enforces strict liability for injuries caused by wild animals or by domestic animals with known abnormally dangerous tendencies.
Simmons et al., supra note 76, § 14.05.
14 M.R.S.A. § 221 (creating strict liability with respect to goods sold in "defective condition unreasonably dangerous to the user" (applying Restatement (Second) of Torts § 402A)). As I previously noted, the groceries here were not defective. And the electronic payment system does not come within the strictures of the statute. See 14 M.R.S.A. § 221; Restatement (Third) of Torts: Products Liability § 19 Reporters' Note to cmt. f ("Courts are unanimous in refusing to categorize commercially-provided services as products for the purposes of strict products liability in tort.").
Simmons et al., supra note 76, § 14.05. The Simmons treatise also says that "[i]t is fair to view strict liability theory in Maine as an open question," in part because the Law Court precedents are so old, and citing Hayes v. Bushey, 196 A.2d 823 (Me. 1964) (declining to intimate what the rule would be for "an extra-hazardous activity"), and Hanlin Group v. Int'l Minerals Chem. Corp., 759 F. Supp. 925 (D. Me. 1990) (disposal of hazardous waste)).
Restatement (Second) Torts §§ 519-20.
Byram v. Main, 523 A.2d 1387 (Me. 1987); see also Restatement (Second) Torts § 507-09.
This case does not involve the sale of defective goods, an "abnormally dangerous" activity, or injury by animal. Instead, the plaintiffs ask me to conclude that this new area of electronic data theft is rife with risk and damage, calling for a new common law remedy. Such an expansion of Maine law is for the Maine Law Court or Legislature, not for me as a federal judge. Moreover, as I noted under the discussion of implied warranty, the general common law does not support the expansion of strict liability that the plaintiffs have requested. I conclude that there is no basis for strict liability in this case under current Maine law.
Mot. to Dismiss Oral Arg. 55:8-19.
See supra note 7 and accompanying text.
See supra notes 57-58 and accompanying text (discussing Restatement (Third) of Torts: Products Liability § 20 cmt. f).
(F) Count VI. Negligence
Under Maine law, the judge must decide, as a matter of law, whether a defendant has a tort-based duty to a plaintiff. If the judge finds a duty, "the duty is always the same — to conform to the legal standard of reasonable conduct in the light of the apparent risk." It is then up to the factfinder to decide whether the defendant has violated the standard of care, i.e., has been negligent. Hannaford does not argue that it is exempt from the duty of reasonable care. What it does contest is whether the duty extends to the economic loss that the plaintiffs claim in this case, rather than traditional personal injury or property damage.
Searles v. Trs. of St. Joseph's Coll., 695 A.2d 1206, 1209 (Me. 1997) ("The existence of a duty is a question of law.");Welch v. McCarthy, 677 A.2d 1066, 1069 (Me. 1996).
Searles, 695 A.2d at 1209 (quoting Trusiani v. Cumberland York Distribs., Inc., 538 A.2d 258, 261 (Me. 1988)).
Searles, 695 A.2d at 1209.
See Pls.' Opp'n to Def.'s Mot. to Dismiss at 33; Def.'s Reply at 2 (Docket Item 67).
Def.'s Mot. to Dismiss at 21-24.
Hannaford argues that the so-called economic loss doctrine prevents any tort recovery here because the claimed damages all arise out of the contractual relationship that customers and Hannaford enter into at the point of sale. It is true that, in some jurisdictions, courts have applied this "economic loss doctrine" to prevent tort recovery altogether for purely economic damages incurred by parties to a contractual relationship, unless there is also personal injury or physical property damage. But the doctrine started out much narrower, and the Maine Law Court has never had occasion to broaden its application. According to the Law Court's last statement on the topic in 1995, the economic loss doctrine stands for the proposition that "[c]ourts generally . . . do not permit tort recovery for a defective product's damage to itself." The Law Court explained the "rationale underlying this rule" as follows: "damage to a product itself 'means simply that the product has not met the customer's expectations, or, in other words, that the customer has received 'insufficient product value.' The maintenance of product value and quality is precisely the purpose of express and implied warranties.'"
Id.
See, e.g., Plourde Sand Gravel Co. v. JGI Eastern, Inc., 917 A.2d 1250, 1253 (N.H. 2007) ("While some states generally limit [the economic loss doctrine's] application to products liability cases, . . . New Hampshire . . . expanded its application to other tort cases."); Tietsworth v. Harley-Davidson, Inc., 677 N.W.2d 233, 241 (Wis. 2004) ("The economic loss doctrine is a judicially-created remedies principle that operates generally to preclude contracting parties from pursuing tort recovery for purely economic or commercial losses associated with the contract relationship.").
Oceanside at Pine Point Condo. Owners Ass'n v. Peachtree Doors, Inc., 659 A.2d 267, 270 n. 4 (Me. 1995).
Id. at 270 (quoting E. River S.S. Corp. v. Transamerica Delaval, Inc., 476 U.S. 858, 872 (1986)). In Maine Rubber International v. Environmental Management Group, I concluded that Maine's economic loss doctrine applied not just to goods sold, but also to service contracts where "[t]he critical issue . . . [was] value and quality of what was purchased." 298 F. Supp. 2d 133, 138 (D. Me. 2004). That is not the case here. In Banknorth, N.A, v. BJ's Wholesale Club, Inc., Judge Singal recognized that Maine law is uncertain as to whether the economic loss doctrine applies where the parties are not in privity (here they are in privity). 394 F. Supp. 2d 283, 286-87 (D. Me. 2005). Later in the same case, after transfer, a federal judge in Pennsylvania concluded that the Maine Law Court would apply the economic loss doctrine to prevent recovery of "economic damages, the cost of reissuing debit cards and of paying for the unauthorized transactions," in a lawsuit by a card-issuing bank against a merchant for negligence in maintaining the merchant's computer files of debit card numbers. Banknorth, N.A. v. BJ's Wholesale Club, Inc., 442 F. Supp. 2d 206, 211 (M.D. Pa. 2006). Respectfully, I am not persuaded that the Law Court would apply that reasoning to these transactions between consumers and a merchant. Moreover, it is not my role as a federal judge to extend Maine law, whether it be a claim or a defense.
Thus, the economic loss doctrine as Maine's Law Court has described it does not apply to prevent negligence-based tort recovery here. This is not a case about a defective product that Hannaford sold to the consumer. Even if there is a "defective product" here (extending the doctrine beyond the groceries sold to include Hannaford's making available an electronic payment system in the transaction), the recovery that the plaintiffs seek in this lawsuit is not for damage to that product. And the rationale for the economic loss doctrine as Maine describes it (no tort recovery for "insufficient product value") does not fit the nature of the tort recovery that the plaintiffs seek. Certainly there are arguments for broadening the economic loss doctrine's limits on tort recovery, but that is a decision for Maine's Law Court. From the Law Court's most recent pronouncement (1995) on the economic loss doctrine, I conclude that Maine law does not give Hannaford a defense to tort recovery for negligence.
Peachtree Doors, Inc., 659 A.2d at 270.
(G) Count VII. Maine's Unfair Trade Practices Act
Under the UTPA, "[a]t least 30 days prior to the filing of an action for damages, a written demand for relief, identifying the claimant and reasonably describing the unfair and deceptive act or practice relied upon and the injuries suffered, must be mailed or delivered to any prospective respondent." 5 M.R.S.A. § 213(1-A). The record does not reveal whether the plaintiffs met this requirement. Since Hannaford has not raised the issue, I do not address it.
Maine's Unfair Trade Practices Act says that "unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful." A consumer who purchases goods or services and "suffers any loss of money or property" as a result of such an act or practice can sue a defendant for "actual damages, restitution" and equitable relief. Maine's Law Court has said that the limits of the Act "are best defined on a case by case basis," and that "the complained of conduct should have some attribute of unfairness or deception to invoke its mechanisms." According to the Law Court, "[s]tanding alone, garden variety breaches of warranty do not necessarily constitute an unfair or deceptive trade practice."
Id. § 207.
Id. § 213(1).
Maine ex rel. Tierney v. Ford Motor Co., 436 A.2d 866, 874 (Me. 1981). In a footnote, the Court mentioned the "rascality" definition then used in Massachusetts cases, but it did not specifically adopt that limitation. Id. at 874 n. 14.
Searles v. Fleetwood Homes of Pa., Inc., 878 A.2d 509, 520 (Me. 2005).
The plaintiffs here maintain that Hannaford's failure to disclose the data theft promptly, once Hannaford learned of it, was unfair and deceptive. The Law Court says that under the UTPA:
An act or practice is deceptive if it is a material representation, omission, act or practice that is likely to mislead consumers acting reasonably under the circumstances. A material representation, omission, act or practice involves information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding, a product. An act or practice may be deceptive, within the meaning of Maine's UTPA, regardless of a defendant's good faith or lack of intent to deceive.
At oral argument, the plaintiffs' lawyer also said that they based their UTPA claim in lesser part on an alleged negligent misrepresentation that the card numbers would be safe, a representation that assertedly became false December 7, 2007, when the breach of security first occurred. Mot. to Dismiss Oral Arg. Tr. 45:4-24. In their Consolidated Complaint, the plaintiffs allege that Hannaford "represented expressly . . . that . . . their . . . information . . . would be kept secure and would not be exposed to theft," Consolidated Compl. ¶ 105, but they provide no detail as to what these express statements were. There is only one other mention of "express" representation in the complaint, equally conclusory and made only in passing. See id. ¶ 20 (stating that "private and confidential debit card and credit card information. . . . was confided based on express . . . representations by Defendant and on the expectation and implied mutual understanding that the data confided would be protected and safeguarded"). I find the assertion of "express" representation insufficiently pleaded under Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), which states that "a plaintiff's obligation to provide the 'grounds' of his 'entitle[ment] to relief' requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Id. at 555 (quoting Fed.R.Civ.P. 8(a)). I do not consider the plaintiffs' reference to what Hannaford's website said on November 19, 2008. See Pls.' Opp'n to Def.'s Mot. to Dismiss at 21 n. 11; Mot. to Dismiss Oral Arg. Tr. 71:3-24. The website assertion was not made in the Consolidated Complaint, and it refers to a date much later than the relevant time period. Therefore, this particular UTPA/negligent misrepresentation claim of falsity starting December 7, 2007, may not proceed.
State v. Weinschenk, 868 A.2d 200, 206 (Me. 2005) (internal quotations and citations omitted); see also Binette v. Dyer Library Ass'n, 688 A.2d 898, 906 (Me. 1996) (referring to the withholding of "material information").
A jury could find that, if Hannaford had disclosed the security breach immediately upon learning of it from Visa, customers would not have purchased groceries at its stores with plastic during that period from February 27, 2008, until Hannaford contained the security breach March 10, 2008. That would be an "omission . . . that is important to consumers and, hence, likely to affect their . . . conduct regarding, a product." As the Law Court has said, conduct may be deceptive even though the merchant operated in good faith or without intent to deceive. This is a less demanding standard than the common law claim that I discussed in Count IV.
See Weinschenk, 868 A.2d at 206.
Id. I recognize that Hannaford may have defenses, including the interests of law enforcement and the ability to detect and stop the intrusion, but those are issues to consider at a later stage.
Moreover, in a somewhat similar case involving retailer TJX, the First Circuit recently interpreted a Massachusetts statute whose substantive provision is identical to Maine's UTPA. It said:
Compare 5 M.R.S.A. § 207 ("Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful."), with Mass. Gen. Laws Ann. Ch. 93A, § 2(a) ("Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.").
If the charges in the complaint are true (and obviously the details matter), a court using these general FTC [Federal Trade Commission] criteria might well find in the present case inexcusable and protracted reckless conduct, aggravated by failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers. And such conduct, a court might conclude, is conduct unfair, oppressive and highly injurious — and so in violation of chapter 93A [Massachusetts' UTPA provision] under the FTC's interpretation.
In re TJX Cos. Retail Sec. Breach Litigation, 564 F.3d 489, 496 2009 WL 806891, at *5 (1st Cir. March 30, 2009, amended May 5, 2009).
As a result, the First Circuit ruled, the claim could not be dismissed as an unfair trade practice. InTJX, the retail seller and its bank allegedly had made negligently false "implied representations" that they had implemented industry security measures required by industry practice, and then failed to announce a third-party intrusion into the retailer's electronic data system until a month after the security breach was discovered. The plaintiffs in TJX were the banks who had to reimburse consumers for resulting fraudulent transactions. The First Circuit treated their claim as an unfair trade practices claim and ruled that the claim could not be dismissed because of both "general FTC factors" and the "more precise precedents."
Id. at *6-7.
See In re TJX Cos. Retail Sec. Breach Litigation, 524 F. Supp. 2d 83 (D. Mass. 2007).
See id.
In re TJX Cos. Retail Sec. Breach Litigation, 2009 WL 806891, at *5. The district court had ruled that the banks stated a Massachusetts UTPA claim based upon extreme or egregious negligent misrepresentation. In re TJX Cos. Retail Sec. Breach Litigation, 524 F. Supp. 2d at 93.
The relevance of "general FTC criteria" or "general FTC factors" is that both the Maine and Massachusetts statutes instruct the courts to be "guided by" the Federal Trade Commission's interpretations of a comparable federal statute, 15 U.S.C. § 45(a)(1) ("Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."). The "more precise precedents" that the First Circuit referred to were "the host of FTC complaints and consent decrees condemning as 'unfair conduct' specific behavior similar to that charged by plaintiffs." According to the FTC's website, the FTC has brought over twenty complaints "charging companies with security deficiencies in protecting sensitive consumer information." The FTC has brought these complaints against many types of corporations, including several retailers, alleging that they failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information stored on computer networks, in violation of the Federal Trade Commission Act, 15 U.S.C. § 45. The First Circuit said that the "FTC precedent and factors" are "ordinarily instructive rather than conclusive," but also said that "[w]here, as here, a substantial body of FTC complaints and consent decrees focus on a class of conduct, it is hard to see why a court would choose flatly to ignore it." I conclude that the FTC interpretations, as recognized by the First Circuit in the Massachusetts case, support accepting the allegations here as stating a claim under Maine's UTPA.
5 M.R.S.A. § 207(1) ("It is the intent of the Legislature that in construing this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 45(a)(1) of the Federal Trade Commission Act ( 15 United States Code 45(a)(1)), as from time to time amended."); Mass. Gen. Laws Ann. Ch. 93A, § 2(b) ("It is the intent of the legislature that in construing paragraph (a) of this section in actions brought under sections four, nine and eleven, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(1)), as from time to time amended."). The First Circuit cited a Massachusetts Supreme Court case that used a pre-1980 formulation of the general FTC standard: "(1) whether the practice . . . is within at least the penumbra of some common-law, statutory, or other established concept of unfairness; (2) . . . is immoral, unethical, oppressive, or unscrupulous; (3) . . . causes substantial injury [to] . . . competitors or other businessmen."In re TJX Cos. Retail Sec. Breach Litigation, 2009 WL 806891, at *5 (quoting Datacomm Interface, Inc. v. Computerworld, Inc., 489 N.E.2d 185, 196 (Mass. 1986)). The Maine Law Court previously has referred to that standard, but has also adopted a more recent FTC version of the standard. Fleetwood Homes of Pa., 878 A.2d at 519 n. 10 (quoting 15 U.S.C.A. § 45(n) and citing to a FTC policy statement from 1980 focusing on whether "the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."). The Law Court has also said: "To justify a finding of unfairness the injury must satisfy three tests. It must be substantial; it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and it must be an injury that consumers themselves could not reasonably have avoided." Suminski v. Me. Appliance Warehouse, Inc., 602 A.2d 1173, 1174 n. 1 (Me. 1992). These differences in the phrasing of the FTC "general" criteria do not meaningfully limit the significance of the First Circuit's interpretation of the statutory language.
In re TJX Cos. Retail Sec. Breach Litigation, 2009 WL 806891, at *5.
Press Release, Fed. Trade Comm'n, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data (Mar. 27, 2008), http://www.ftc.gov/opa/2008/03/datasec.shtm (on file with the Clerk of Court).
Fed. Trade Comm'n, Privacy Initiatives, http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html (on file with the Clerk of Court) (listing "cases involving the privacy of consumer information under Section 5 of the FTC Act").
In re TJX Cos. Retail Sec. Breach Litigation, 2009 WL 806891, at *5.
(4) Cognizable Injury
I have concluded above that three claims survive under current Maine law. But there is an additional requirement for a lawsuit to proceed: a plaintiff must have suffered an injury for which Maine law will grant relief, in this case either damages or injunctive relief. (For the UTPA claim, the requirement is a "loss of money or property," and that there be "actual damages," a standard that the Law Court has interpreted to require a "substantial injury," so as "to weed out 'trivial or merely speculative harms.'") Hannaford says that the plaintiffs have alleged no damages that Maine law recognizes or any injury that would support an injunction. The consumer plaintiffs disagree. I examine the plaintiffs' asserted injuries in categories. (A) Consumer plaintiffs who never had fraudulent items posted to their accounts.
5 M.R.S.A. § 213(1).
Tungate v. MacLean-Stevens Studios, Inc., 714 A.2d 792, 797 (Me. 1998).
I conclude first that consumers who did not have a fraudulent charge actually posted to their account cannot recover. Without an actual fraudulent posting, these consumers have only the emotional distress that their accounts might be in peril. That does not satisfy the UTPA's requirement of loss of money or property, and it does not suffice for breach of contract or negligence for reasons I will describe.
On this issue, the cases that the parties cite are almost uniform in not allowing recovery where there is only a risk of injury and no actual misuse of the stolen electronic data. See Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 640 (7th Cir. 2000); Caudle, 580 F. Supp. 2d at 282-83; Melancon v. La. Office of Student Fin. Assistance, 567 F. Supp. 2d 873, 877 (E.D. La. 2008); Shafran v. Harley-Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008); Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793, 798 (M.D. La. 2007); Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 712-13 (S.D. Ohio 2007); Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 782-83 (W.D. Mich. 2006);Guin v. Brazos Higher Educ. Serv. Corp., Inc., 2006 WL 288483, at *5-6 (D. Minn. Feb. 7, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1020-21 (D. Minn. 2006). But see Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1126 (N.D. Cal. 2008); Kuhn v. Capital One Fin. Corp., 2006 WL 3007931, at *3 (Mass App. Ct. 2006). Some go so far as to say there is no Article III standing for such cases, see, e.g., Randolph v. ING Life Ins. Annuity Co., 486 F. Supp. 2d 1, 7-8 (D.D.C. 2007); Key v. DSW, Inc., 454 F. Supp. 2d 684, 688-89 (S.D. Ohio 2006); Giordano v. Wachovia Sec., LLC, 2006 WL 2177036, at *4 (D.N.J. July 31, 2006); Bell v. Acxiom Corp., 2006 WL 2850042, at *2 (E.D. Ark. Oct. 3, 2006), but others disagree, see, e.g., Pisciotta, 499 F.3d at 634 ("[T]he injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions."); Caudle, 580 F. Supp. 2d at 279-80.
In fact, none of the named plaintiffs can legitimately claim fear of future fraudulent charges caused by Hannaford, because according to the Consolidated Complaint, all of their accounts affected by the stolen data have been canceled and new ones created. Consolidated Compl. ¶¶ 35-51.
Bartner v. Carter, 405 A.2d 194, 202-03 (Me. 1979) (finding that "loss of money or property" language "[o]n its face, without the benefit of a strained interpretation, . . . appears to rule out recovery, under the statute, of several kinds of . . . damages [such as] for personal injury, mental distress or loss of time"). Massachusetts likewise interpreted "loss of money or property" to exclude emotional distress, when that language existed in an earlier version of its statute. See Baldassari v. Pub. Fin. Trust, 337 N.E.2d 701, 708-09 (Mass. 1975). The Massachusetts legislature later amended the provision to delete that requirement for consumers' claims. See Leardi v. Brown, 474 N.E.2d 1094, 1100-01 (Mass. 1985) (detailing the history of consumers' private remedies under Massachusetts' UTPA, Mass. Gen. Laws Ann. Ch. 93A, § 9). Maine has not similarly amended its UTPA to remove the limiting language.
For breach of contract, Maine law is very restrictive on recovery of emotional distress damages: "The general rule is that damages for emotional distress as a result of a breach of contract are not recoverable." The "few limited exceptions" are "breaches of contracts between carriers and innkeepers and their passengers and guests; contracts for the carriage and proper disposition of dead bodies and; contracts for the delivery of messages concerning death." Maine's Law Court has explicitly refused to extend the exception even to breach of a fiduciary relationship because it "would all but swallow the rule." The claim for breach of implied contract here fits none of the recognized exceptions. Therefore, emotional distress damages are not recoverable on the plaintiffs' claim for breach of implied contract.
McAfee v. Wright, 651 A.2d 371, 372 (Me. 1994).
Id. at 373.
Id.
For tort recovery, if the plaintiff can otherwise recover damages, Maine law generally does allow emotional distress damages as well: "We have long allowed recovery for 'mental anguish and loss of enjoyment of life' in most tort actions.'" But Maine's Law Court has also recognized that "there can be no recovery for emotional harm . . . in a few limited instances, such as negligent misrepresentation claims." That is because the claims there are "essentially economic in nature and serve to protect economic interests." That reasoning fits this case exactly; the loss here is an economic loss.
The plaintiffs have claimed emotional distress damages as part of their general damage recovery. The defendants focus much of their argument on a separate kind of emotional distress, that sometimes recoverable under a separate cause of action for negligent infliction of severe emotional distress: "a duty to act reasonably to avoid emotional harm to others in very limited circumstances." Curtis v. Porter, 784 A.2d 18, 25 (Me. 2001).See, e.g., Mot. to Dismiss Oral Arg. Tr. 4-5. Although it is true that this case fits none of the enumerated limited circumstances for a free-standing cause of action (bystander liability actions, and circumstances of a special relationship, such that patient/therapist qualifies, for example, but minister/church member child does not), Curtis, 784 A.2d at 25 n. 17, the plaintiffs have not pleaded that separate cause of action.
Rubin v. Matthews Int'l Corp., 503 A.2d 694 (Me. 1986), requires an underlying tort recovery.
Curtis, 784 A.2d at 26; see also Kopenga v.Davric Me. Corp., 727 A.2d 906, 910 (Me. 1999) (a statutory case, but recognizing that there is a "low threshold of evidence for awarding damages under the pain, suffering, mental anguish and loss of enjoyment of life criteria of general tort actions," unlike the standard for negligent infliction of emotional distress).
Curtis, 784 A.2d at 26. In Curtis, the Court was referring to the separate tort of negligent infliction of emotional distress,see supra note 134, but I see no basis to limit its statement, and the statement I quote from Jourdain v. Dineen, 527 A.2d 1304, 1307 (Me. 1987), to that specific tort.
Jourdain, 527 A.2d at 1307; see also Veilleux v. Nat'l Broad. Co., 206 F.3d 92, 130 (1st Cir. 2000) (no recovery of emotional distress damages under Maine law for misrepresentation torts, "which serve to protect economic interests").
I conclude, therefore, that Maine law does not allow emotional distress damages in this economic loss case. On that same basis, the preventive expenses and time that the plaintiffs say they spent to resolve their emotional distress by protecting their accounts also are not recoverable. (This reasoning applies to emotional distress damages in all categories of loss.)
(B) Consumer plaintiffs with fraudulent charges that have not been reversed or reimbursed.
One plaintiff only, Pamela LaMotte, asserts that there are fraudulent charges on her account that, to date, her card-issuing bank has refused to remove, and that she has had to pay them. Hannaford argues that I should not consider these charges a cognizable injury because, under typical credit or debit card agreements, the issuing bank agrees to remove fraudulent charges. The plaintiffs respond that Hannaford as a wrongdoer (assuming that the plaintiffs prove negligence) cannot take advantage of the fact that Ms. LaMotte may also have a claim for recovery against her bank.
Consolidated Compl. ¶ 46. The complaint states imprecisely that Ms. LaMotte "has disputed" charges as unauthorized, without expressly alleging that the charges were in fact unauthorized.Id. At oral argument, I accepted the plaintiffs' lawyer's representations that the intent was to assert that the disputed charges were indeed unauthorized. Mot. to Dismiss Oral Arg. Tr. 50:7-19.
Def.'s Mot. to Dismiss at 25-26.
See Pls.' Opp'n to Def.'s Mot. to Dismiss at 34. The plaintiffs also argue that such contractual language is a matter of proof for Hannaford, id. at 7-8, not something that I can assume is true at this stage of the case on a motion to dismiss,see supra note 3.
I conclude that the plaintiffs are correct. If Hannaford's negligence has caused fraudulent postings to Ms. LaMotte's account that have not been corrected, her ability, if any, to sue her bank under her credit or debit card contract does not eliminate Hannaford's potential liability to her. I see no Maine law that holds otherwise. Under the UTPA also, she has incurred a "loss of money or property." Therefore, Ms. LaMotte's claim may proceed. (C) Consumer plaintiffs with fraudulent charges that were reversed and are no longer outstanding.
Accord Stollenwerk v. Tri-West Health Care Alliance, 254 F. App'x 664, 668 n. 2 (9th Cir. 2007) ("Under Arizona law, the criminal act of a third party does not necessarily relieve a defendant of liability for negligence, even when the third party is a stranger.").
Other plaintiffs allege that fraudulent items were posted to their accounts as a result of the Hannaford data breach, but they do not claim that they have had to pay these amounts or that they remain outstanding. (Presumably, therefore, the issuing banks have reversed the fraudulent postings.) Nor do any of these named plaintiffs claim specific expenses incurred to remove the fraudulent charges. These plaintiffs claim consequential losses, however, such as overdraft fees or a bank loan to cover them, a fee for insisting on changing an account when the issuing bank thought it was unnecessary, a fee for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, time spent in persuading the issuing bank to reverse an item or in contacting multiple pre-authorized payees, temporary lack of access to funds and inability to use the card, a canceled hotel reservation when a card was canceled, the necessity for a family loan (no interest is alleged), and the cost of identity theft insurance.
The general damage allegations, Consolidated Compl. ¶¶ 52-54, do assert such claims, but they are not based upon personal knowledge. The Consolidated Complaint limits the personal knowledge allegations to paragraphs 35-51. Those paragraphs set forth in detail what happened to the named plaintiffs, but they do not include specific expenses to remove fraudulent postings. At this stage, my focus is only on the injuries to the named plaintiffs. "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494 (1974). For the same reason I do not address the generalized claims of expenses for credit reports, or unauthorized transactions on other people's accounts that no one yet has uncovered.
I conclude that none of these are recoverable damages under Maine law because they are too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a "substantial injury"). Under the Maine cases, for both tort and contract recovery, "the fundamental test is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability." And speculative damages are not recoverable.
Andrew M. Horton Peggy L. McGehee, Maine Civil Remedies § 4-3(b)(3) (4th ed. 2004).
Michaud, 390 A.2d at 530; Horton McGehee, supra note 144, § 4-3(b)(2) (describing the "reasonable certainty" standard).
First, there is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence. Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement. The same is true for a consumer's temporary lack of access to funds or credit, the annoyance of a canceled hotel reservation, and the embarrassment or annoyance of obtaining a family loan.
Waxler v. Waxler, 699 A.2d 1161, 1166 (Me. 1997) (holding that a damage award for loss of good credit must be supported by evidence of monetary value); King v. King, 507 A.2d 1057, 1059-60 (Me. 1986) (holding that the absence of evidence of monetary value precluded a damages award); see also Forbes, 420 F. Supp. 2d at 1020-21 (applying Minnesota law and denying damages consisting of "time and money . . . spent monitoring . . . credit" because "a plaintiff can only recover for loss of time in terms of earning capacity or wages"). But see Kuhn, 2006 WL 3007931, at *3 (concluding that cognizable damages "include 'the value of the time spent' in seeking to prevent or undo the harm").
Second, the claimed overdraft fees or loan interest to pay them are remote and not reasonably foreseeable at the time of the point-of-sale transaction. They would occur only for customers who were already near their maximum account limits or where the thieves used large (or a multitude of recurrent) charges without the fraud being discovered. Most of the plaintiff consumers here have not alleged that they incurred such fees. The same is true for fees that other merchants allegedly charged when a customer changed his or her bill-paying arrangement because of the data theft.
Third, there is no allegation to justify the claim for identity theft insurance premiums. Nothing in the Consolidated Complaint suggests any risk of identity theft from the theft of card data that did not include personally identifying information. Similarly, there is no allegation to justify the claim for fees to open a new account when the issuing bank said it was unnecessary. That is a prophylactic measure chosen by the customer in an abundance of caution, not in the face of any meaningful risk, and is therefore too remote to qualify as recoverable damage.
Consolidated Compl. ¶¶ 30-31. Hannaford asserts generally that "[i]n all material respects, the risk posed by the theft of personal data is greater than the risk posed to the consumer by the theft of account data." Def.'s Mot. to Dismiss at 12. The plaintiffs disagree and say that "theft of confidential account access information is of far more immediate consequence than exposure or theft of personal particulars." Pls.' Opp'n to Def.'s Mot. to Dismiss at 14. I need not decide here which kind of theft is worse.
Fourth, the loss of accumulated reward points upon a change of accounts is not reasonably foreseeable. It is not apparent why an issuing bank would refuse to honor a cardholder's entitlement to accumulated points. That consequence was not reasonably foreseeable to Hannaford.
Fifth, the inability to earn reward points while obtaining a new card is too remote to justify a damage award. That consequence results from a coincidence of travel plans or a particular purchase that happened to fall in the precise window between accounts, and an apparent arbitrary unwillingness of the issuing bank to permit the cardholder to apply the points to the new account. Undoubtedly it was disappointing and annoying to that cardholder, but it was not a foreseeable consequence of Hannaford's alleged negligence.
(D) Injunctive Relief
The injunctive relief requested for these named plaintiffs is a court order to Hannaford requiring that Hannaford tell the plaintiffs "exactly what private and confidential financial and personal information . . . was exposed to theft and was, in fact, stolen"; and to provide credit monitoring for them going forward. But all of these named plaintiffs have already cancelled their compromised cards, so they individually have no need for such an injunction.
Consolidated Compl. Prayer for Relief.
See supra note 143. Once again, this is an issue on which the out-of-state cases the parties cite are almost unanimous: no mandatory credit monitoring, certainly where there is no demonstrated risk. See, e.g., Pisciotta, 499 F.3d at 634-40;Caudle, 580 F. Supp. 2d at 282; Shafran, 2008 WL 763177, at *3;Ponder, 522 F. Supp. 2d at 796; Kahle, 486 F. Supp. 2d at 712;Hendricks, 444 F. Supp. 2d at 779; Forbes, 420 F. Supp. 2d at 1021. I am not yet deciding whether, if the lawsuit proceeds with some plaintiffs, those named plaintiffs will be able to claim injunctive relief for other class members even though the named plaintiffs are not personally entitled to it.
CONCLUSION
Recurrent reports about breaches of electronic data systems — of governmental agencies, the nation's utility grid, merchants or other institutions — have generated increased apprehension, as consumers learn that the convenient card-based alternatives to cash turn out to have their own risks. This is not the first lawsuit over who bears the risk of electronic data theft, and it certainly will not be the last.I make no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers. Such a decision involves complex arguments regarding the adequacy of current consumer protection, efficient risk allocation, the economics of doing business, and the efficacy of lawsuits as a way to resolve such issues. Nor do I determine whether the Maine Law Court should develop Maine common law to address these issues differently. I merely conclude that under current Maine law, consumers whose payment data are stolen can recover against the merchant only if the merchant's negligence caused a direct loss to the consumer's account.
My ruling deals with several questions of Maine law on which the Maine Law Court has not yet had the opportunity to give an opinion — for example, the application of the economic loss doctrine to this type of transaction, or the standards of liability generally for electronic payment transactions. Before an appeal, I would therefore consider a motion to certify certain issues to the Law Court for its decision, Me. R. App. P. 25(a), when the case has reached the stage that satisfies Maine's finality standards ( i.e., "may be determinative of the cause").
The defendant's motion to dismiss is GRANTED as to the claims of all consumer plaintiffs but Pamela LaMotte. It is also GRANTED as to Pamela LaMotte on all counts except I, VI and VII. Ms. LaMotte may proceed on her claims for breach of implied contract, negligence, and an unfair or deceptive act or practice under Maine's UTPA.
I do not know whether the plaintiffs will still be able to satisfy the jurisdictional requirements of CAFA after my ruling.See 28 U.S.C. § 1332(d).
The Clerk's Office shall mail a copy of the Consolidated Complaint to the Maine Attorney General so as to comply with 5 M.R.S.A. § 213(3).
Counsel shall contact the Clerk's Office to arrange for a scheduling conference to be held in about 30 days.
SO ORDERED.