PORTLAND, Maine — Only those customers who weren’t reimbursed for fraudulent charges may sue the Hannaford Bros. supermarket chain over a data breach that exposed 4.2 million credit and debit card numbers to computer hackers, a federal judge ruled.
The decision by U.S. District Judge D. Brock Hornby on Tuesday dismissed all but one of the civil claims brought against Hannaford after the data breach was revealed in March 2008. But a separate lawsuit is still pending in Florida against Hannaford’s sister company, Tampa-based Sweetbay.
Between Dec. 7, 2007, and March 10, 2008, hackers accessed card numbers used at 165 Hannaford stores in the Northeast and 106 Sweetbay stores in Florida. At least 1,800 numbers were stolen and used for unauthorized purchases, Hannaford officials have said.
Electronic payment processing services for the transactions took place in Maine, where Hannaford is based. And lawyers agreed last month that Maine law should apply.
In his decision, Hornby said state law allows consumers to recover damages “only if the merchant’s negligence caused a direct loss to the consumer’s account.”
“When a merchant is negligent in handling a customer’s electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer’s account, the merchant is liable for that loss,” Hornby wrote. Not covered by state law, he wrote, were “collateral consequences.”
More than 20 lawsuits in Florida, Maine, New Hampshire, Massachusetts, New York and Vermont were consolidated into one case before Hornby. The judge’s decision tosses all complaints except one, from a Vermont woman who was not reimbursed for fraudulent charges.
Peter Murray, a lawyer for the plaintiffs, said he was disappointed by the ruling, but he said there was little choice except to bring the class-action lawsuit in Maine.
“We followed the path that we thought was the best path,” he said. “Attorneys on both sides felt that Maine law was as good a bet as you could have and was the only jurisdiction that one could assert covers all the claims.” Plaintiffs are considering their options, he said.
Also pending is a Florida lawsuit that the 1st U.S. Circuit Court of Appeals in Boston allowed this month to move forward even though it overlapped with the lawsuit in Maine.
David Metcalf, a Tallahassee lawyer, is seeking class-action status for a lawsuit on behalf of Florida residents who represent the bulk of the 1.6 million customers whose credit and debit cards were compromised at Sweetbay stores. The case will be tried in a state court.
In both lawsuits, plaintiffs were critical of the way Hannaford handled the case. They say Hannaford learned on Feb. 27, 2008, that its system had been compromised and that Hannaford understood the nature of the breach on March 8, but there was no public disclosure until March 17.
Hannaford was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.
Even though it met industry standards, Hannaford has reviewed its procedures and taken additional steps to ensure there’s no repeat of the data breach, said Mike Norton, a spokesman at Hannaford’s headquarters in Scarborough, outside Portland.
“We haven’t had an experience like this in our history and we really believe we have the right procedures in place so that it doesn’t happen again,” Norton said Wednesday.
Hannaford and Sweetwater, along with Food Lion, are owned by Belgian supermarket chain Delhaize America. Food Lion was not affected by the data breach.