Individual plaintiffs have not had much success bringing private actions against businesses affected by security breaches. In particular, a number of courts have held that the abstract risk of identity theft is not a cognizable injury. And most recently, the Maine Supreme Judicial Court has determined that even those individuals actually victimized by identity theft may have difficulty establishing injury if they are reimbursed in full by their financial institutions.
The Maine court found that time and effort that victims of identity theft spend identifying and correcting fraudulent credit card activity is not sufficient to show a cognizable injury for purposes of a negligence or breach of an implied contract claim. The court found these are uncompensable as the “typical annoyances or inconveniences that are a part of everyday life.”
The court was responding to a question certified by the U.S. District Court for the District of Maine in connection with more than two dozen class complaints filed against Maine-based grocery chain Hannaford Bros. Co. The claims against Hannaford were filed after its May 2008 announcement that a hacker had compromised its electronic payment processing system and stolen up to 4.2 million customer debit and credit card numbers, expiration dates, security codes, PINs, and other customer information.