LYNCH, Chief Judge.
Plaintiffs appeal from the dismissal of their Maine state law claims arising out of the unauthorized use of their credit and debit card data after hackers breached the electronic payment processing system of defendant Hannaford Brothers Co., where plaintiffs had shopped for groceries and used those cards.
The district court determined that plaintiffs failed to state a claim under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach. Although the district court concluded that the plaintiffs adequately alleged breach of implied contract, negligence, and violation of the unfair practices portion of the Maine
We affirm in part and reverse in part. We affirm the district court's dismissal of all claims other than the plaintiffs' negligence and implied contract claims. We reverse the district court's dismissal of the plaintiffs' negligence and implied contract claims as to certain categories of alleged damages because plaintiffs' reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law.
The facts as alleged by plaintiffs in their consolidated putative class action complaint are as follows.
Hannaford is a national grocery chain whose electronic payment processing system was breached by hackers as early as December 7, 2007.
Following Hannaford's announcement, some financial institutions immediately cancelled customers' debit and credit cards and issued new cards, while others did not do so, telling the cardholder they wished to wait for evidence of unauthorized activity before taking action. Further, as alleged in the complaint, "financial institutions who did not immediately cancel customers' cards monitored customer accounts for unusual activity and cancelled cards immediately upon being aware of apparent fraudulent charges or attempts to make apparently fraudulent charges, in many cases, without the knowledge of the customer." Additional "customers suffered unauthorized charges to their debit card and credit card accounts." Moreover, "customers who requested that their cards be cancelled were required to pay fees to issuing banks for replacement cards" and "customers purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach."
The plaintiffs alleged seven causes of action: (1) breach of implied contract; (2) breach of implied warranty; (3) breach of duty of a confidential relationship; (4) failure to advise customers of the theft of their data; (5) strict liability; (6) negligence; and (7) violation of the Maine UTPA. Plaintiffs sought damages as well as injunctive relief in the form of credit monitoring and notification of precisely what information was stolen. Hannaford moved to dismiss all claims, and the parties agreed that Maine law would govern the dispute.
Plaintiffs allege that Hannaford customers, including the plaintiffs, experienced more than the 1,800 unauthorized charges to their accounts which were known to Hannaford when it made its announcement on March 17. Plaintiffs also plead that they experienced several categories of losses said to be compensable damages for those plaintiffs who incurred them, including the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. In addition, they claim damages for the purchase of identity theft/card protection insurance and credit monitoring services.
In a carefully reasoned opinion, the district court granted Hannaford's motion to dismiss as to twenty of the twenty-one named plaintiffs.
For these three surviving claims, the district court concluded that dismissal depended on whether the plaintiffs' alleged injuries as pled were cognizable under Maine law. Id. at 131. To make this determination, the district court divided the plaintiffs into three categories. Id. at 131-35. The district court determined that the first category, composed of plaintiffs who did not have fraudulent charges posted to their accounts, could not recover because their claims for emotional distress are not cognizable under Maine law. Id. at 131-33. The district court concluded that the second category, composed of the single plaintiff whose fraudulent charges
As to the third category, composed of plaintiffs whose fraudulent charges had been reimbursed, the district court determined that their alleged consequential losses were "too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a `substantial injury')." Id. at 134. In particular, the district court explained, the claimed overdraft fees, loss of accumulated reward points, and loss of opportunities to earn reward points were not foreseeable at the time of sale. Id. at 134-35. Further, the district court determined that there was no way to value or compensate the time and effort that consumers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen. Id. As a result, the district court determined that this third category of plaintiffs could not recover.
Finally, the district court denied the plaintiffs' requested injunctive relief because the named plaintiffs had already cancelled their compromised cards. Id. at 135.
After the district court ruling, the plaintiffs moved to certify several questions
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D.Me.2009). The Law Court accepted the certification and answered the first question in the negative, agreeing with the district court that time and effort alone do not constitute a cognizable harm under Maine Law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 498 (Me.2010). Observing that "[l]iability in negligence ... ordinarily requires proof of personal injury or property damage," the Law Court declined to expand Maine negligence law by recognizing time and effort alone as a harm. Id. at 496. Similarly, the Law Court noted that "[n]ot every consequence of a breach of contract is a cognizable injury" and that contract damages are generally more restricted than compensatory damages for tort. Id. at 497. Accordingly, the Law Court concluded that time and effort alone do not represent a cognizable injury recoverable in implied contract. Id. Having answered the first question in the negative, the Law
In light of the Law Court's opinion, the district court ordered the parties to show cause why judgment should not be entered in favor of Hannaford on all claims. The parties offered no response and the district court entered judgment in favor of Hannaford.
Plaintiffs have appealed the district court's decision regarding the fiduciary duty, breach of implied contract, negligence, and Maine UTPA claims. Hannaford has cross-appealed from the district court's determinations that the plaintiffs had adequately pled a basis for an implied contract of reasonable care apart from any tort duty, and that a private remedy under the Maine UTPA might lie even absent a loss resulting from the purchase of a consumer good or service.
We review de novo the grant of a motion to dismiss, "accepting as true all well-pleaded facts, analyzing those facts in the light most hospitable to the plaintiff's theory, and drawing all reasonable inferences for the plaintiff." United States ex rel. Hutcheson v. Blackstone Med., Inc., 647 F.3d 377, 383 (1st Cir.2011). To survive a motion to dismiss, a complaint must "set forth `factual allegations, either direct or inferential, respecting each material element necessary to sustain recovery under some actionable legal theory.'" Gagliardi v. Sullivan, 513 F.3d 301, 305 (1st Cir. 2008) (quoting Centro Medico del Turabo, Inc. v. Feliciano de Melecio, 406 F.3d 1, 6 (1st Cir.2005)).
Plaintiffs argue that Hannaford owed a fiduciary duty to protect their credit and debit card data, which it breached. Although plaintiffs concede that the basic grocery purchase transaction does not give rise to a fiduciary relationship, they argue that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information.
We agree with the district court that the plaintiffs' facts do not make out a confidential relationship
First, the plaintiffs have not shown the "trust and confidence" contemplated by Maine confidential relationship cases. Under Maine law, a "fiduciary relationship has been described as `something approximating business agency, professional relationship, or family tie impelling or inducing the trusting party to relax the care and vigilance ordinarily exercised.'" Bryan R. v. Watchtower Bible & Tract Soc. of N.Y., Inc., 738 A.2d 839, 846 (Me.1999) (quoting
Second, the plaintiffs have not pled facts demonstrating disparate bargaining power between the plaintiffs and Hannaford. In the commercial context, the Maine Law Court has required an especially heightened disparity of power. The plaintiffs must allege "diminished emotional or physical capacity or ... the letting down of all guards and bars." Stewart, 762 A.2d at 46 (omission in original) (quoting Diversified Foods, Inc. v. First Nat'l Bank of Bos., 605 A.2d 609, 615 (Me.1992)) (internal quotation marks omitted) (holding that a creditor-debtor relationship is not a confidential relationship without a showing of diminished capacity or special vulnerability). Here, the customer is free to use cash or checks, as well as credit or debit cards, to buy groceries. The customer is free to purchase groceries elsewhere. Indeed, plaintiffs fail to distinguish themselves from any other credit or debit card user in any commercial setting. See Bryan R., 738 A.2d at 847 (dismissing a claim for breach of fiduciary duty where, inter alia, plaintiff did not allege that his relationship with the defendant church was "distinct from [the defendant church's] relationships with any other members").
Third, the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust. Under Maine law, breach of fiduciary duty claims typically require a showing that the dominant party used its position of trust to obtain something from the subordinate party, "acquiring rights in that [property] antagonistic to the person with whose interests he has become associated." Wood, 122 A. at 179 (quoting Trice v. Comstock, 121 F. 620, 627 (8th Cir. 1903)) (internal quotation mark omitted). As the district court noted, there is no suggestion in the complaint that Hannaford provided anything but a fair exchange in groceries in return for the customers' payments or somehow took advantage of the system of allowing customers to use cards. In re Hannaford, 613 F.Supp.2d at 123.
Hannaford cross-appeals from the district court's determination that plaintiffs have made out a claim for an implied contract.
The district court correctly concluded that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people's purchases, would not sell the data to others, and would take reasonable measures to protect the information. In re Hannaford, 613 F.Supp.2d at 119. When a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data. A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.
The district court held that the plaintiffs' allegations stated a claim under the Maine UTPA that Hannaford's failure to disclose the data theft promptly, and possibly its failure to maintain reasonable security systems, was unfair and deceptive. Id. at 128-31. Nonetheless, the district court concluded that the claim failed because the plaintiffs did not allege substantial loss. Id. at 134. We agree that the plaintiffs' claim fails, but for different reasons.
Section 207 of the Maine UTPA, entitled "Unlawful Acts and Conduct," provides that "[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful." Me.Rev.Stat. tit. 5, § 207. Under the statute, in defining whether a practice is unlawful, the Maine legislature directed that guidance be sought from the interpretations of the Federal Trade Commission Act (FTCA). Id. § 207(1) ("It is the intent of the Legislature that in construing this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 45(a)(1) of the Federal Trade Commission Act (15 U.S.C. § 45(a)(1)), as from time to time amended.").
The Maine courts have looked generally to the FTCA to determine whether "the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."
Further, "[i]n determining whether an act or practice is unfair," Maine courts "consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination." Id. (quoting 15 U.S.C. § 45(n)) (internal quotation marks omitted).
The Maine UTPA provides for two different enforcement mechanisms: enforcement by the state's Attorney General, Me. Rev.Stat. tit. 5, § 209, and a private cause of action, id. § 213. The Attorney General may seek injunctive relief and may also seek civil penalties for violation of the injunction, including restoration to private individuals of any ascertainable loss. Id. § 209. The issue here concerns the limits for private causes of action.
Section 213, entitled "Private Remedies," as amended in 1991, provides a private cause of action under the statute:
Id. § 213(1).
The text requires that the plaintiff suffer a loss of money or property as a result of the unlawful act.
The parties actively dispute whether plaintiffs' claims, viewed individually, make out substantial injury, or whether, given the nature of the event, plaintiffs' claims of harm may be viewed as a collective whole as to substantial injury. In Tungate v. MacLean-Stevens Studios, Inc., the Law Court said that "[t]he substantial injury requirement is designed to weed out `trivial or merely speculative harms.'" 714 A.2d 792, 797 (Me.1998) (quoting Legg v. Castruccio, 100 Md.App. 748, 642 A.2d 906, 917 (1994)) (holding that a $1.25 commission on a $7.00 product did not rise to the level of substantial injury for purposes of establishing a violation under section 207). We do not view the subject matter of this suit as "trivial" or "merely speculative." We see no case in Maine sufficiently like this one to give us clear guidance on this question and are reluctant to venture where the Maine courts have not.
What is clear is that the Maine courts have consistently read the private right of action provision of the UTPA narrowly.
In the seminal case interpreting the private right of action provision of the Maine UTPA, the Law Court in Bartner v. Carter pointed out that "[i]n a private suit, the requirement of loss to the plaintiff consumer resulting from defendant's wrongful act unavoidably limits" both the scope of section 207 and the use of the FTCA and its interpretation. 405 A.2d at 201. The court commented that the Maine legislature was concerned about the possible coercive and improper use of the private cause of action, and that was one rationale for the narrowing. Id. at 201-02.
Pertinently, the court also pointed out, in discussing the restrictions on recovery in private actions under section 213, that "[c]ommon law actions for negligence and breach of warranty are available in appropriate cases for non-restitutionary damages in situations where personal injuries or damages to property have occurred." Id. at 203.
It seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence, or other theories. In Searles, the Law Court was explicit that public policy considerations factor into interpretation of the UTPA. See 878 A.2d at 519 n. 10. As this opinion holds elsewhere, most of plaintiffs' damages claims fail for those reasons. As to the recoverable amounts for mitigation of damages under negligence and implied contract, we see no reason why Maine law would not consider those recoveries under those theories sufficient.
To summarize, plaintiffs' claims under the Maine UTPA and for a breach of fiduciary relationship fail, but plaintiffs have adequately alleged at least theories of negligence and breach of implied contract. That a general theory of recovery has been adequately pled does not, though, resolve the next question of whether the particular types of damages alleged are recoverable under those theories. We draw a distinction for our analysis among plaintiffs' various claims of damages between those which are best characterized as mitigation costs and those which are not.
Under Maine negligence law, damages must be both reasonably foreseeable, and, even if reasonably foreseeable, of the type which Maine has not barred for policy reasons. Generally, under Maine law, "the fundamental test [for both tort and contract recovery] is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability." Horton & McGehee, Maine Civil Remedies § 4-3(b)(3) (4th ed. 2004). But liability in negligence also "ordinarily requires proof of personal injury or property damage." In re Hannaford, 4 A.3d at 496. The Maine Law Court has explained that although reasonable foreseeability "may set tolerable limits for most types of physical harm, it provides virtually no limit on liability for nonphysical harm." Cameron v. Pepin, 610 A.2d 279, 283 (Me.1992) (emphasis omitted) (quoting Thing v. La Chusa, 48 Cal.3d 644, 257 Cal.Rptr. 865, 771 P.2d 814, 826 (1989)) (internal quotation mark omitted). In cases of nonphysical harm, Maine courts limit recovery by considering not only reasonable foreseeability, but also relevant policy considerations such as "societal expectations regarding behavior and individual responsibility in allocating risks and costs." Alexander v. Mitchell, 930 A.2d 1016, 1020 (Me.2007).
Maine courts have weighed these considerations in the context of mitigation costs and determined that a plaintiff may "recover for costs and harms incurred during a reasonable effort to mitigate," regardless of whether the harm is nonphysical. In re Hannaford, 4 A.3d at 496. The Maine Law Court has expressly said so both in its response to the certified questions and in its decision to apply the Restatement (Second) of Torts § 919. The Restatement (Second) of Torts § 919 provides that "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." Id. § 919(1). It is clear that, as a matter of policy, Maine law "encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant's negligence." In re Hannaford, 4 A.3d at 496. To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended. Id. at 496-97.
Maine has interpreted this "reasonableness" requirement for mitigation, judging whether the decision to mitigate was reasonable "at the time it was made." Marchesseault v. Jackson, 611 A.2d 95, 99 (Me. 1992). In Marchesseault, the plaintiff brought a claim for breach of contract after the defendant built a faulty foundation for the plaintiff's house. The court allowed as mitigation costs expenditures made in an unsuccessful effort to remedy
There is not a great deal of Maine law on the subject. And the Law Court's decision on the certified question appears to be the first time the Maine courts have applied § 919 of the Restatement. So we turn to the decisions of other courts under the Restatement, which provide guidance for Maine. See, e.g., Marchesseault, 611 A.2d 95 at 99 (turning to other jurisdictions for guidance in deciding whether to allow recovery of unsuccessful repair costs as mitigation damages under the Restatement (Second) of Contracts); Marois v. Paper Converting Mach. Co., 539 A.2d 621, 623-24 (Me.1988) ("Decisions of other courts, however, do interpret the Restatement [(Second) of Torts] and are helpful in the development of our own law."). Other courts' decisions applying § 919 are helpful to plaintiffs' claims. These courts award mitigation costs even when it is not certain at the time that these costs are needed, when mitigation costs are sought but other damages are unavailable, and when mitigation costs exceed the amount of actual damages.
The Seventh Circuit, for example, has held that under Restatement § 919 incidental costs expended in good faith to mitigate harm are recoverable—even if the costs turn out to exceed the savings. See Toledo Peoria & W. Ry. v. Metro Waste Sys., Inc., 59 F.3d 637 (7th Cir. 1995) (applying Illinois law). In Toledo, the plaintiff sued to recover for damages sustained to several of its locomotive engines. As to one of the engines, the plaintiff sought to recover both the replacement value of the engine and the cost of attempted repairs, which later turned out to be unsuccessful. The court held it was error to have excluded evidence of the cost of the attempted repairs and allowed the plaintiff full recovery because "[a]ny other result would effectively penalize [the plaintiff] for fulfilling its obligation under Illinois law to minimize its damages." Id. at 641.
In Kelleher v. Marvin Lumber & Cedar Co., 152 N.H. 813, 891 A.2d 477 (2005), the New Hampshire Supreme Court, applying Restatement § 919, held that a plaintiff who found rot damage in a number of his property's windows could recover for the cost of replacing those windows in order to prevent water leakage and other damage to the property. The court allowed the plaintiff to recover the cost of the new windows as reasonable mitigation damages notwithstanding the court's determination that recovery for the rotting windows themselves was barred by the economic loss doctrine. Id. at 496-97.
The Fourth Circuit has noted, applying Restatement § 919, that plaintiffs should not face "a Hobson's choice" between allowing further damage to occur or mitigating the damage at their own expense. Toll Bros., Inc. v. Dryvit Sys., Inc., 432 F.3d 564, 570 (4th Cir.2005) (applying Connecticut law). In Toll, a real estate developer removed and replaced defective stucco from homes that it built, and sued the stucco manufacturer in negligence to recover its costs. The court concluded that, as a matter of policy, a plaintiff may recover the cost of its reasonable attempts to mitigate, even if the injury is "wholly financial" in nature. Id.
In Fogel v. Zell, 221 F.3d 955 (7th Cir. 2000), the court, applying Illinois law, determined that under Restatement § 919 a city which had installed a defectively manufactured sewer pipe "would have been entitled by the doctrine of mitigation of damages to remove the pipe or take other
In a Massachusetts case, Automated Donut Systems, Inc. v. Consolidated Rail Corp., 12 Mass.App.Ct. 326, 424 N.E.2d 265 (1981), the court applied Restatement § 919 to hold that a shipper could recover the cost of reasonable, but unsuccessful, efforts to repair goods damaged by a railway carrier because allowing recovery would effectuate a policy of encouraging injured parties to avoid loss. Id. at 270-71.
The question then becomes whether plaintiffs' mitigation steps were reasonable. This is a contextual question, depending on the facts. Like the district court, we will view all facts in the light most favorable to the plaintiffs.
This case involves a large-scale criminal operation conducted over three months and the deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their financial advantage. Unlike the cases cited by Hannaford, this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft, and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers' accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.
Further, there is no suggestion there was any way to sort through to predict whose accounts would be used to ring up improper charges. By the time Hannaford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.
That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those banks thought the cards would be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment. That other financial institutions did not replace cards immediately does not make it unreasonable for cardholders to take steps to protect themselves.
It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data.
Hannaford opposes this conclusion and cites several cases from other jurisdictions holding, on the facts before them, that the costs of credit monitoring services and identity theft insurance are not cognizable injuries in negligence claims.
Most of the cases involved theft of expensive computer equipment, rather than a sophisticated breach of electronic data. See Ruiz v. Gap, Inc., 622 F.Supp.2d 908 (N.D.Cal.2009); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y.2008); Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C.2007). In contrast with the facts here, the plaintiffs in those cases not only failed to allege "that plaintiff[s] or any member[s] of the putative class [had] been the victim[s] of identity fraud or theft," Caudle, 580 F.Supp.2d at 277, but also failed to allege "that the person stealing the [computer or] hard drive was motivated by a desire to access the data and had the capabilities to do so," id. at 282. These courts reasoned that because "there [was] no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it [was] used for unlawful purposes[,] ... any injury of Plaintiff[s] [was] purely speculative." Kahle, 486 F.Supp.2d at 712-13. Here, by contrast, the thieves were sophisticated; they targeted Hannaford's data directly; and they used that data to ring up thousands of charges to customer accounts, including the accounts of many of the plaintiffs.
Another of the cases involved a computer hard drive that was inadvertently lost. See Melancon v. La. Office of Student Fin. Assistance, 567 F.Supp.2d 873 (E.D.La. 2008). In Melancon, unlike the present
Only two of Hannaford's cited cases involve a breach in which thieves accessed the plaintiffs' data held by defendants. See Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir.2007) (hackers breached a bank website and stole the personal and financial data of tens of thousands of the bank's customers); Hendricks v. DSW Shoe Warehouse Inc., 444 F.Supp.2d 775, 777 (W.D.Mich.2006) (hackers accessed "the numbers and names associated with approximately 1,438,281 credit and debit cards and 96,385 checking account numbers and drivers' license numbers" that were on file with a national shoe retailer). But even in those cases, the plaintiffs failed to allege "that they or any other member of the putative class already had been the victim of identity theft as a result of the breach." Pisciotta, 499 F.3d at 632; see also Hendricks, 444 F.Supp.2d at 779. These courts reasoned that in the absence of unauthorized charges as to the plaintiffs or those similarly situated, the plaintiffs there lacked a reasonable basis for fearing there would be unauthorized charges to their accounts as a result of the theft. That very reasoning suggests that these courts would reach a different result if the plaintiffs alleged that they had suffered fraudulent charges to their accounts. Here, plaintiff Valburn purchased theft insurance only after learning of an unauthorized $500 cash withdrawal from her account and speaking with the fraud unit at Discover Card. Knowing her personal data had been breached and misused, and knowing the thieves were sophisticated and had rung up thousands of unauthorized charges, plaintiff Valburn had a reasonable basis for purchasing identity theft insurance to avoid further damage.
Hannaford also argues that even if these damages are cognizable in negligence, they are not cognizable in contract. In support of this argument, Hannaford cites the Maine Law Court's statement, in its answer to the certified questions, that "contract damages are more restricted than compensatory damages for a tort." In re Hannaford, 4 A.3d at 497. While true, that statement is inapplicable here. As explained by the Law Court and the body of precedent on which it relied, contract
General principles of recovery in both contract and tort, which are not applicable to the mitigation damages we have discussed, do bar the plaintiffs' remaining claims. The district court correctly concluded that the plaintiffs' claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization changes were not recoverable.
We conclude that the two forms of mitigation damages we have discussed are cognizable under Maine law and we reverse the district court's dismissal of the plaintiffs' negligence and implied contract claims as to those damages. We affirm the district court's dismissal of the remaining claims. So ordered. No costs are awarded.
The putative class period is from December 7, 2007 to March 10, 2008.
It may be, as Hannaford suggests, that major card brands have instituted contractual zero-liability protection, with the result that customers are not liable for any amount of a fraudulent charge. But at the motion to dismiss stage, we cannot say that customers face no risk of even a $50 liability from unauthorized use. Nor is Hannaford's argument directly relevant: it does not change the fact that in these circumstances it is entirely reasonable for customers to attempt to mitigate harm to themselves.
