retail news in context, analysis with attitude

In Maine, the Portland Press Herald reports that a US District Court judge plans to rule in the next few days whether Delhaize-owned Hannaford Bros. “is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.” The breach took place between December 2007 and March 2008 and resulted in some 1,800 fraudulent charges.

According to the story, “The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?”

Plaintiffs in the case are seeking class action status and want the case to go forward, while Hannaford Bros. has asked Judge D. Brock Hornby to dismiss the case. The plaintiffs maintain that Hannaford knew about the breach for three weeks before going public, and therefore ignored the best interests of its shoppers; Hannaford argues that because none of the shoppers lost any money in the case – credit card holders are protected by agreements with Visa and MasterCard that require them to be reimbursed for fraudulent charges – there is no basis for a lawsuit.

KC's View:
Tough one. If I recall correctly, Hannaford actually exceeded the requirements of all disclosure rules…and made the point that one of the reasons it delayed telling customers was that it might have compromised an ongoing investigation.

Which seems reasonable to me.

On the other hand, the judge could decide that this needs to resolved by a jury in open court, because larger issues of transparency and disclosure are at stake here. In which case, even it eventually wins the case, Hannaford is facing months of unpleasant headlines.