Thursday, September 23, 2010

Maine high court limits damage claims in data breaches

A little over two years ago Hannaford Brothers, a large grocery retailer in the Eastern U.S., suffered one of the worst data breaches (bankinfosecurity.com) up to that time. There were many lawsuits filed as a result of the breach. This week the high court in Maine ruled on the validity in some of those cases.

According to a report on WGME 13 in Portland, Maine, the high court ruled that you cannot sue for damages unless you suffer "financial losses, physical harm or identity theft."

I'm sure this disappointed the people trying to regain money for the time they spent straightening out the mess caused because their credit card info was stolen in Hannafords' breach. I'm not sure I agree with the court decision, but I can understand it. I think. On the one hand, the time and effort spent was directly related to the data breach. On the other hand, there was no financial cost, no damage, nothing that was "lost" (except time, the one thing you can't replace), and the cost of paying reparation to people who didn't suffer any actual harm could open the gateway for all kinds of lawsuits with dubious claims that would tie up the courts, often with little chance of success.

The law is different in every state, so the Maine decision may not have any bearing on lawsuits filed anywhere else - but it is a precedent, and lawyers will pull precedents from where ever they can find them. Only time will tell how much affect this decision will have outside of Maine.