The Scope of Available Damages in Identity Theft Cases (In the First Circuit, It's Broader Than You May Think)

Consider this scenario: You purchase items at a store with your credit card. Months later, you learn that the store's credit card processing systems have been hacked. Not seeing any unauthorized charges on your credit card statement, you breathe a temporary sigh of relief, but you go out and purchase identity theft insurance just in case the hackers try to use your information in the future -- and to protect against breaches at other retailers. Unhappy with the store's failure to stop the security breach, you sue the store to recover the money you spent purchasing identity theft insurance.

The store moves to dismiss your complaint, arguing that you have no compensable damages because you have no proof that the hackers actually used your information to make unauthorized purchases. Who wins on this point -- the store or the plaintiff? In a victory for credit card users, the First Circuit, applying Maine law, has sided with the plaintiff.

In Anderson v. Hannaford Bros. Co., Nos. 10-2384/2450, 2011 U.S. App. LEXIS 21239 (Oct. 20, 2011), customers of the grocery chain Hannaford sued Hannaford for various common-law and statutory violations after hackers breached its electronic payment processing system. While some of the plaintiffs alleged that the hackers had, in fact, used their credit card information to make unauthorized purchases for which those plaintiffs were ultimately liable (at least in part), other plaintiffs had no proof of unauthorized purchases and therefore could not make the same allegation. As the First Circuit put it, those latter plaintiffs were faced only with "a real risk of misuse," but they still sought to recover the cost of purchasing identity theft insurance and the cost of purchasing replacement credit cards. The First Circuit held that on the facts of this case, these damages were reasonably foreseeable and therefore permissible under Maine negligence law. The court found that it was reasonable for these plaintiffs to believe their credit card information might be used in unauthorized purchases, especially since it had happened to others. From a policy perspective, the court also found that any other holding would discourage customers from mitigating damages in similar situations.

Is the First Circuit right? Should defendants reimburse plaintiffs who purchase identity theft insurance when those plaintiffs are only "at risk of unauthorized charges" but have no proof that their personal information has been used commercially? Given the consequences of identity theft -- downgraded credit ratings, inability to secure mortgages, sheer loss of money, emotional distress -- most credit card users would likely agree that courts should encourage, rather than discourage, self-protective measures such as purchasing insurance, especially when there's evidence, as there was in Hannaford, that security systems have been hacked and other customers have been victimized. But some courts in other circuits have disagreed with this theory, even though the Hannaford court took pains to distinguish those holdings rather than acknowledge an actual conflict.

Moreover, should retailers be obligated to pay for this insurance no matter how high the initiation fee or the premiums? The First Circuit's decision does not set limits, other than "reasonableness," on the cost of insurance that plaintiffs may re-coup in litigation. In fact, the court cited with approval other decisions allowing plaintiffs to re-coup mitigation costs even when they exceed the expected savings, on the theory that courts should encourage plaintiffs to mitigate. Whether this will prove workable in identity theft cases remains to be seen. It will be up to lower courts to figure out what costs are reasonable and what costs are not reasonable in the insurance context -- not always an easy determination.