DECISION AND ORDER ON DEFENDANT HANNAFORD BROS. CO.'S MOTION TO DISMISS
D. BROCK HORNBY, District Judge.
A customer uses a credit card or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer then recover from the grocer any loss resulting from the third-party data theft? That is the question this case poses.
The consumer plaintiffs see electronic payment systems as a technological development that, in addition to convenience, has created great risk of fraud to consumers, "increas[ing] exponentially the risk that consumers will be victimized by fraudulent misuse of their account access information." According to them, "the financial chaos and disruption of personal affairs that will churn in the wake of a massive theft of confidential credit and debit card access information is readily foreseeable, indeed, almost inevitable." The plaintiffs say that "[t]he law must step in to protect persons impacted by the actions of others over whom they have no effective control. This is certainly the case with credit card customers versus merchants and financial institutions."1
The defendant grocer, Hannaford Bros. Co. ("Hannaford"), on the other hand, sees a well-functioning financial payment system that depends upon complex contractual relationships among the participants. These participants are consumers, merchants, organizations that create the card brands, banks that issue the cards to the consumers, and banks that accept the card transactions presented to them by the merchants.2 Hannaford points to consumer protections that law and contract already provide,3 and lists "numerous reasons why the institutional competencies of the judiciary are not well-suited to supplementing the protection given by legislation and private rule."4 Hannaford urges that "courts should not step in" and "may work mischief for all by altering the balance of interests set by agreement."5 Hannaford believes that any consumer recourse should lie only against the banks that issue the cards and post the transactions to the consumers' accounts, not against merchants like Hannaford.6
For those wanting a definitive answer to this question of who should bear the risk of data theft in electronic payment systems, my ruling will be unsatisfactory. In this case, the answer depends wholly on state law, and the state law is still undeveloped. My role as a federal judge is simply to apply state law, not extend it, retract it, or modify it through broad strokes so as to accommodate the complex financial arrangements and risks that the parties portray.7
My answer to the liability question between customer and grocer is this: Under Maine law as I understand it, when a merchant is negligent in handling a customer's electronic payment data and that negligence causes an unreimbursed fraudulent charge or debit against a customer's account, the merchant is liable for that loss. In the circumstances of this case, there may also be liability under Maine's Unfair Trade Practices Act ("UTPA")8 for an unfair or deceptive trade practice.9 But if the merchant is not negligent, or if the negligence does not produce that completed direct financial loss and instead causes only collateral consequences—for example, the customer's fear that a fraudulent transaction might happen in the future, the consumer's expenditure of time and effort to protect the account, lost opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships—then the merchant is not liable.
I rule here on Hannaford's motion to dismiss the plaintiffs' consolidated complaint for failure to state a claim upon which relief may be granted. Fed.R.Civ.P. 12(b)(6). I heard oral argument April 1, 2009. For purposes of the motion, I must assume that all that the plaintiffs say in their consolidated complaint is true,10 because Hannaford's contention is that even if it all is true, the plaintiffs are entitled to no relief from or against Hannaford. Hannaford's motion is GRANTED IN PART AND DENIED IN PART.
The plaintiffs have been customers at Hannaford, at Sweetbay supermarkets in Florida owned by Hannaford, and at independent stores where Hannaford provides electronic payment processing services.11 "[I]n the course of making purchases at these stores, ... [they] made use of debit cards and credit cards issued by financial institutions to access their bank accounts or create credit relationships."12 They say that Hannaford "provided electronic payment services," but failed "to maintain the security of private and confidential financial and personal information of ... credit and debit card customers" at supermarkets in Maine, Vermont, New Hampshire, New York, Massachusetts, and Florida.13
The plaintiffs say that, beginning December 7, 2007, third-party "wrongdoers obtained access to [Hannaford's] information technology systems and, until containment of this security breach on or about March 10, 2008, stole private and confidential debit card and credit card information, including up to an estimated 4.2 million debit card and credit card numbers, expiration dates, security codes, PIN numbers and other information belonging to [the] [p]laintiffs and other customers ... who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by [Hannaford]."14 The plaintiffs do not claim that wrongdoers acquired customer names from Hannaford.15 They say that credit card association Visa, Inc. notified Hannaford on February 27, 2008, that Hannaford's information technology system had been breached,16 and that Hannaford discovered the means of access on March 8, 2008,17 contained it and notified certain financial institutions on March 10, 2008,18 but made no public disclosure until March 17, 2008,19 and even then, made an inadequate disclosure.20
"As a result of this breach of security," the plaintiffs claim that they incurred the following damages: (i) customers' "debit cards and credit cards were exposed and subjected to unauthorized charges;" (ii) their "bank accounts were overdrawn and credit limits exceeded;" (iii) they "were deprived of the use of their cards and access to their funds;" (iv) they "lost accumulated miles and points toward bonus awards and were unable to earn points during the interval their cards were inactivated;" (v) those customers "who requested their cards be cancelled were required to pay fees to issuing banks for replacement cards;" (vi) those customers "who had registered their cards with online sellers were required to cancel and change their registered numbers;" (vii) their "preauthorized charge relationships were disrupted;" (viii) they "expend[ed] time, energy and expense to address and resolve these financial disruptions and mitigate the consequences;" (ix) they "suffered emotional distress;" (x) their "credit and debit card information is at an increased risk of theft and unauthorized use;" and (xi) some customers "purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences."21
The plaintiffs have sued Hannaford for damages for those losses and for injunctive relief. In addition to damages, they want me to order Hannaford to provide credit monitoring to all affected customers and notify each of them "exactly what private and confidential financial and personal information of each Class member was exposed to theft and was, in fact, stolen."22
The plaintiffs want to bring this lawsuit as a class action. They assert federal jurisdiction under the Class Action Fairness Act of 2005 ("CAFA"), 28 U.S.C. § 1332(d). To satisfy that statute, they allege that at least one plaintiff has citizenship different from the defendant Hannaford, that there are more than 100 class members, and that the amount in controversy exceeds $5 million.23 Hannaford has not contested federal jurisdiction.
(2) Choice of Law
As a result of a Multi-District Litigation Judicial Panel Transfer Order, this lawsuit consists of cases from Florida, Maine, New Hampshire, Massachusetts, New York and Vermont.24 It is an interesting question which state's or states' laws should apply to grocery transactions occurring in these six different states. (No party contends that federal law governs.) According to the Consolidated Complaint, Hannaford is incorporated and headquartered in Maine.25 It provided the electronic payment processing services for all the transactions—those at its own named stores throughout Maine, New Hampshire, Massachusetts, New York and Vermont, those in Florida at its sister corporation Kash `N Karry (Sweetbay)'s stores, and those at certain independently owned stores in various states.26 Upon reading the parties' legal memoranda, I had expected that I might have to differentiate among state laws according to where the transaction in question occurred; state laws vary significantly on some of the issues I discuss in this opinion. Moreover, both sides went to great lengths to reconcile various lower court decisions from a number of states.27 But at oral argument the parties agreed that Maine law alone should control the outcome of the defendant's 12(b)(6) motion.28 I therefore make my ruling based solely upon Maine law.
(3) The Plaintiffs' Claims in the Consolidated Complaint
In their quest to make Hannaford pay them money and provide credit monitoring and specific disclosure of what was stolen, the plaintiffs have asserted seven different bases under Maine law: I. Breach of implied contract; II. Breach of implied warranty; III. Breach of duty of a confidential relationship; IV. Failure to advise customers of the theft of their data; V. Strict liability; VI. Negligence; and VII. a violation of the Maine Unfair Trade Practices Act, 5 M.R.S.A. § 205-A, et seq. I consider each claim separately, using Maine Law Court precedents and Maine statutory language where available.
(A) Count I. Breach of Implied Contract
Both sides agree that at the point of sale—the cash register—there is a contract for the sale of groceries.29 The consumer buys the groceries and, in exchange, pays the merchant for them. That is a contract for the sale of goods under Article 2 of Maine's Uniform Commercial Code, 11 M.R.S.A. § 2-101, et seq. But the parties disagree over what that contract says about the terms of the payment relationship when the consumer swipes a card through the merchant's card-reading terminal instead of tendering cash. The plaintiffs assert that the merchant and consumer implicitly agree at the point of sale that the merchant will guaranty the consumer's electronic data against all intrusion.30 Hannaford argues that there is no such agreement.31 I accept neither argument in its entirety.
In this claim, the plaintiffs do not allege that there is any explicit agreement between consumer and merchant about Hannaford's electronic payment processing system,32 a position that seems consistent with cashier and customer behavior in grocery checkout lines. But Maine law is clear that a contract can have unarticulated implied terms:
[A] contract includes not only the promises set forth in express words, but, in addition, all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and the circumstances under which it was made.33
Whether a contract includes an implied term is a question of fact for the jury under Maine law.34 But for a jury to be able to find such a provision, it "must be absolutely necessary to effectuate the contract,"35 and "indispensable to effectuate the intention of the parties."36 I apply those Maine legal principles to the facts that the consumer plaintiffs allege here.
A grocery sale contemplates that the consumer will give the grocer payment. That is part of the contract for the grocery transaction.37 For payment, a grocer may accept currency, coupons, checks, credit cards or debit cards.38 If the consumer presents a check, Article 3 of Maine's Uniform Commercial Code (Negotiable Instruments) imposes various obligations and expectations as a matter of law.39 If the consumer tenders cash or coupons, a jury could reasonably find that the merchant is entitled to expect the currency or coupons to be authentic, not counterfeit, as an implied term of the contract of sale, "absolutely necessary" to its effectuation.40
If a consumer tenders a credit or debit card as payment, I conclude that a jury could find certain other implied terms in the grocery purchase contract: for example, that the merchant will not use the card data for other people's purchases, will not sell or give the data to others (except in completing the payment process), and will take reasonable measures to protect the information (which might include meeting industry standards), on the basis that these are implied commitments that are "absolutely necessary to effectuate the contract," and "indispensable to effectuate the intention of the parties."41 A jury could reasonably find that customers would not tender cards to merchants who undertook zero obligation to protect customers' electronic data. But in today's known world of sophisticated hackers, data theft, software glitches, and computer viruses, a jury could not reasonably find an implied merchant commitment against every intrusion under any circumstances whatsoever (consider, for example, an armed robber confronting the merchant's computer systems personnel at gunpoint). Thus, I conclude that a jury could not reasonably find that an unqualified guaranty of confidentiality by the merchant is "absolutely essential" to the contract for a sale of groceries (there is no reason to believe that consumers would cease using their cards in the absence of a 100% guaranty of data safety). I reach the same conclusion for the plaintiffs' other proposed implied contractual term, that Hannaford implicitly agreed "to notify them that the confidentiality of such information was compromised."42 Consumers might like to know that, but there is no basis for a jury to conclude that such a notification term is "indispensable to effectuate" their intentions, "absolutely necessary to effectuate the contract."43
In short, I conclude that in a grocery transaction where a customer uses a debit or credit card, a jury could find that there is an implied contractual term that Hannaford will use reasonable care in its custody of the consumers' card data, the same level of care as the negligence tort standard I discuss later.
(B) Count II. Breach of Implied Warranty
The plaintiffs contend that in accepting a credit card or debit card, Hannaford also warranted that its electronic payment processing system "was fit for its intended purpose, namely the safe and secure processing of credit and debit card payment transactions."44 They also allege that the system was in fact not fit, because it "allowed wrongdoers to steal customers' confidential personal and financial data,"45 and that Hannaford therefore breached that implied warranty of fitness.
The Uniform Commercial Code, as adopted in Maine, provides:
Where the seller at the time of contracting has reason to know any particular purpose for which the goods are required and that the buyer is relying on the seller's skill or judgment to select or furnish suitable goods, there is ... an implied warranty that the goods shall be fit for such purposes.46
That is what is known as an implied warranty of fitness for a particular purpose, and the plaintiffs refer to that warranty in their legal memorandum.47 But this UCC implied warranty cannot help these consumer plaintiffs because it applies to the goods sold, here, the groceries.48 The term "goods" does not include the payment mechanism.49
Moreover, the implied warranty that the consumer plaintiffs ask me to recognize in this case does not otherwise fit the warranty of fitness for a particular purpose. The UCC defines that warranty as involving transactions where the buyer has a "particular" purpose for the goods (i.e., not the same purpose as all purchasers), and the seller has reason to be aware of that particular purpose and of the purchaser's reliance on the seller to select suitable goods accordingly.50 The Law Court says that to prevail on a claim for breach of the implied warranty of fitness for a particular purpose, the plaintiff must show that a "purchaser ha[s] a particular purpose outside the scope of ordinary purposes" of the goods.51 These consumer plaintiffs do not meet that standard. They are no different in their use of Hannaford's electronic payment system than all other grocery purchasers. They have no "particular" purpose. The plaintiffs concede as much, and argue instead that the statute provides an "analogue" on which a Maine court should draw in crafting a common law implied warranty to fit their situation.52 Hannaford asserts that no such common law warranty is available in this case.
According to the plaintiffs, under Maine's common law, "[i]mplied warranties of fitness for a particular purpose arise not only in connection with the sale of tangible personal property, but also in connection with arrangements for the use of personal property provided by one party for the mutual benefit of owner and user."53 They cite a 1927 pre-UCC Maine case, where one company rented to another company a "heater plant" so that the second company could use the heater plant in the process of laying hot asphalt. The Law Court said:
It is a general rule, which seems to be well established by the authorities, that, where a bailment for mutual benefit of a bailor and a bailee is one of hire, there is imposed on the bailor, in the absence of special contract or representation, an obligation that the thing or property hired for use shall be reasonably fit for the use or capable of the use known to be intended, that is, that it shall possess the quality usually belonging to things of that kind when used for the same purpose.54
That case, Gaffey v. Forgione & Romano Co., was not a sale-of-goods case, but a "bailment" case, where the equipment was rented and taken away by the user.55 The general warranty of fitness (it was not fitness for a "particular" purpose) announced in Gaffey was based on the fact that the transaction was for mutual benefit and involved compensation ("one of hire"). Here, the overall grocery transaction is one of mutual benefit, involving compensation; retailers provide electronic payment mechanisms because, in the quest to encourage sales, it is to their advantage to make it easy for consumers to pay. But the customers do not pay extra for using plastic and electronic processing rather than cash.
One cannot tell from the Law Court's announced "general rule" in Gaffey whether it meant to limit that warranty of fitness to circumstances where the customer pays separately for use of the equipment and takes the equipment away (as in the conventional bailment that Gaffey described), or to extend it as well to customers using the equipment on the premises with or without a separate fee (compare the electronic payment processing here with use of equipment at a tanning salon or spa, or use of an ATM on or off premises).56 The parties have presented no further statement from the Law Court on this topic during the 80+ years since Gaffey. But in the analogous area of strict liability,57 it is clear that the general common law as it has developed in other jurisdictions would not apply to circumstances like these:
When products are made available as a convenience to customers who are on the defendant's premises primarily for different, although related purposes, and no separate charge is made, strict liability is not imposed. Thus, bowling alleys that supply bowling balls for customer use and markets that supply shopping carts are not subject to strict products liability for harm caused by defects in those items.58
Under these circumstances, I conclude that the Maine Law Court is unlikely to extend Maine law to apply an implied warranty of fitness to a grocer's electronic payment processing systems.
(C) Count III. Breach of Duty of a Confidential Relationship
The plaintiffs say that a customer and a merchant enter into a confidential relationship whenever a customer uses a credit card or debit card as payment. They maintain that this confidential relationship imposes extra, fiduciary-like obligations on the merchant, which require both a guaranty that the card data will remain sacrosanct,59 and full disclosure to customers of the nature of any security breach as soon as the merchant learns of the breach.60 Hannaford disagrees, saying that grocery sales with electronic debit or credit card payments are nothing but ordinary arm's length commercial transactions, with no special duties of care.61
Maine cases do recognize that "fiduciary or confidential relations `are deemed to arise whenever two persons have come into such a relation that confidence is necessarily reposed by one and the influence which naturally grows out of that confidence is possessed by the other.'"62 In some circumstances, Maine law "would impose fiduciary duties upon the `superior' party" arising out of such a relationship.63 To state such a claim, a plaintiff must (1) "allege `the actual placing of trust and confidence'" in the other, and (2) "show that there is some disparity in the bargaining positions of the parties and  that the dominant party has abused its position of trust."64 Here, the plaintiffs allege that they placed "trust and confidence" in Hannaford in using their cards to pay for groceries,65 the first element, and that Hannaford "had the benefit of a disparity of position and control,"66 the second element. For the third element, they seem to focus on what Hannaford did after learning of the intrusion: "Defendant abused its superior position in order to, among other things, avoid adverse effects to its business, maintain positive public relations, and retain Plaintiffs and Class members and other customers and entice them to continue shopping and making debit card and credit card transactions in its stores."67
I am doubtful, first, that the "trust and confidence" that the plaintiffs allege here is the type of trust and confidence contemplated by the Maine cases. Those cases deal with family relationships, joint ventures or partnerships, and lender/borrower relations where one party has taken advantage of another for purposes of acquiring or using the other's property or assets.68 There is no such relationship here.
I am also doubtful that the allegations about the third element, abuse of trust, meet the Maine standards, for in the Maine cases the superior party was generally obtaining the subordinate party's property unfairly, to keep for itself.69 There is no suggestion here that Hannaford failed to provide a fair exchange in groceries for the customers' payments.
In any event, the plaintiffs cannot show that a grocery purchase relationship is characterized by a "disparity in the bargaining position of the parties" within the meaning of the Maine cases' second element.70 Hannaford does not have a monopoly on the sale of groceries and does not require the use of credit or debit cards; the customer is free to use cash to complete the transaction, or to shop at other grocers.71 And there is nothing about these particular consumer plaintiffs that distinguishes them from the mass of consumers who buy groceries and use plastic to do so.72 I see nothing in Maine law that suggests that an entire class, such as all people who use plastic to buy groceries, can fit this confidential relationship category, as distinguished from individuals who present particular fact patterns of a special relationship.73 In the merchant/consumer relationship of bank/borrower, for example, the Law Court ruled that a bank/borrower relationship did not qualify as a confidential relationship unless a party could "demonstrate `diminished emotional or physical capacity or ... the letting down of all guards and bars,'"74 simply not the case here. I conclude that the plaintiffs' allegations do not establish a confidential relationship under Maine law.
(D) Count IV. Breach of a Duty to Advise Customers of the Theft of their Data
The plaintiffs present no Maine cases to show that Maine common law recognizes this claim—breach of a duty to advise customers of the theft of their data once it occurred—as a stand-alone claim. In response to my questions at oral argument, their lawyer argued that this is a claim of negligent misrepresentation by omission: that after learning of the data theft, Hannaford's failure to warn consumers thereafter was, in effect, a misrepresentation that the Hannaford data payment system was operating in a secure fashion.75 Although it is not clear from Count IV's allegations, the plaintiffs may be relying on their confidential relationship assertion here. The Maine cases do impose a duty to disclose when there is a confidential relationship between the parties.76 But I have already concluded that the plaintiffs cannot support their confidential relationship assertion. Without that special relationship, there is no Maine claim for failure to disclose,77 unless there is an active concealment of the truth,78 not the case here.79 In the absence of a confidential relationship, therefore, this claim cannot proceed.
Moreover, Maine has a statute, the "Notice of Risk to Personal Data Act," which details the scope of merchants' obligations to notify customers of data theft. They must do so "as expediently as possible and without unreasonable delay," but there are qualifications: "consistent with the legitimate needs of law enforcement ... or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system."80 The plaintiffs have not claimed that Hannaford breached this statute (and the statute does not recognize any private recovery for its breach).81 Although the statute does not "affect or prevent" other remedies that may be available under state or federal law,82 its detailed standards certainly give me reason to be wary of creating any new state standards where the Maine Law Court has not already clearly provided a remedy.
(E) Count V. Strict Liability
The consumer plaintiffs argue that Hannaford should be held "strictly liable for the loss and damage [they] suffered,"83 because "[i]ncreasing reliance on electronic means of payment and other recording of personal identity and financial data has left consumers increasingly susceptible to personal data and identity theft, the adverse consequences of which also are of increasing severity."84 The plaintiffs assert that "[s]afeguarding private and confidential data of [consumers] ... is solely within the control of [Hannaford]..., who [is] best able to distribute the cost of maintaining the security of that data and the consequences of the breach of such security,"85 and that this public policy argument favors judicial imposition of strict liability on Hannaford.86 Hannaford disagrees and warns against judicial intervention of this sort.87
The history of strict liability—liability imposed on a defendant despite its exercise of all reasonable care—can be traced to Fletcher v. Rylands, 1 L.R.-Ex. 265 (Ex. Ch. 1866), a nineteenth century English case that dispensed with proof of negligence as a prerequisite to liability for "non-natural" or potentially "mischievous" activities.88 In Maine, the Legislature has enacted a statute that imposes strict liability for the sale of defective goods.89 But apart from the statute, the Law Court traditionally has limited the scope of the Fletcher principle, suggesting that common law strict liability applies, if at all, only to extra-hazardous activities.90 The Restatement (Second) of Torts endorses the imposition of strict liability for "abnormally dangerous" activities, where there is "high degree of risk" of "great" harm that cannot be eliminated "by the exercise of reasonable care."91 Common law also enforces strict liability for injuries caused by wild animals or by domestic animals with known abnormally dangerous tendencies.92
This case does not involve the sale of defective goods, an "abnormally dangerous" activity, or injury by animal. Instead, the plaintiffs ask me to conclude that this new area of electronic data theft is rife with risk and damage, calling for a new common law remedy.93 Such an expansion of Maine law is for the Maine Law Court or Legislature, not for me as a federal judge.94 Moreover, as I noted under the discussion of implied warranty,95 the general common law does not support the expansion of strict liability that the plaintiffs have requested. I conclude that there is no basis for strict liability in this case under current Maine law.
(F) Count VI. Negligence
Under Maine law, the judge must decide, as a matter of law, whether a defendant has a tort-based duty to a plaintiff.96 If the judge finds a duty, "the duty is always the same—to conform to the legal standard of reasonable conduct in the light of the apparent risk."97 It is then up to the factfinder to decide whether the defendant has violated the standard of care, i.e., has been negligent.98 Hannaford does not argue that it is exempt from the duty of reasonable care.99 What it does contest is whether the duty extends to the economic loss that the plaintiffs claim in this case, rather than traditional personal injury or property damage.100
Hannaford argues that the so-called economic loss doctrine prevents any tort recovery here because the claimed damages all arise out of the contractual relationship that customers and Hannaford enter into at the point of sale.101 It is true that, in some jurisdictions, courts have applied this "economic loss doctrine" to prevent tort recovery altogether for purely economic damages incurred by parties to a contractual relationship, unless there is also personal injury or physical property damage.102 But the doctrine started out much narrower, and the Maine Law Court has never had occasion to broaden its application. According to the Law Court's last statement on the topic in 1995, the economic loss doctrine stands for the proposition that "[c]ourts generally ... do not permit tort recovery for a defective product's damage to itself."103 The Law Court explained the "rationale underlying this rule" as follows: "damage to a product itself `means simply that the product has not met the customer's expectations, or, in other words, that the customer has received `insufficient product value.' The maintenance of product value and quality is precisely the purpose of express and implied warranties.'"104
Thus, the economic loss doctrine as Maine's Law Court has described it does not apply to prevent negligence-based tort recovery here. This is not a case about a defective product that Hannaford sold to the consumer. Even if there is a "defective product" here (extending the doctrine beyond the groceries sold to include Hannaford's making available an electronic payment system in the transaction), the recovery that the plaintiffs seek in this lawsuit is not for damage to that product. And the rationale for the economic loss doctrine as Maine describes it (no tort recovery for "insufficient product value"105) does not fit the nature of the tort recovery that the plaintiffs seek. Certainly there are arguments for broadening the economic loss doctrine's limits on tort recovery, but that is a decision for Maine's Law Court. From the Law Court's most recent pronouncement (1995) on the economic loss doctrine, I conclude that Maine law does not give Hannaford a defense to tort recovery for negligence.
(G) Count VII. Maine's Unfair Trade Practices Act106
Maine's Unfair Trade Practices Act says that "unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful."107 A consumer who purchases goods or services and "suffers any loss of money or property" as a result of such an act or practice can sue a defendant for "actual damages, restitution" and equitable relief.108 Maine's Law Court has said that the limits of the Act "are best defined on a case by case basis," and that "the complained of conduct should have some attribute of unfairness or deception to invoke its mechanisms."109 According to the Law Court, "[s]tanding alone, garden variety breaches of warranty do not necessarily constitute an unfair or deceptive trade practice."110
The plaintiffs here maintain that Hannaford's failure to disclose the data theft promptly, once Hannaford learned of it, was unfair and deceptive.111 The Law Court says that under the UTPA:
An act or practice is deceptive if it is a material representation, omission, act or practice that is likely to mislead consumers acting reasonably under the circumstances. A material representation, omission, act or practice involves information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding, a product. An act or practice may be deceptive, within the meaning of Maine's UTPA, regardless of a defendant's good faith or lack of intent to deceive.112
A jury could find that, if Hannaford had disclosed the security breach immediately upon learning of it from Visa, customers would not have purchased groceries at its stores with plastic during that period from February 27, 2008, until Hannaford contained the security breach March 10, 2008. That would be an "omission ... that is important to consumers and, hence, likely to affect their ... conduct regarding, a product."113 As the Law Court has said, conduct may be deceptive even though the merchant operated in good faith or without intent to deceive.114 This is a less demanding standard than the common law claim that I discussed in Count IV.
Moreover, in a somewhat similar case involving retailer TJX, the First Circuit recently interpreted a Massachusetts statute whose substantive provision is identical to Maine's UTPA.115 It said:
If the charges in the complaint are true (and obviously the details matter), a court using these general FTC [Federal Trade Commission] criteria might well find in the present case inexcusable and protracted reckless conduct, aggravated by failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers. And such conduct, a court might conclude, is conduct unfair, oppressive and highly injurious— and so in violation of chapter 93A [Massachusetts' UTPA provision] under the FTC's interpretation.116
As a result, the First Circuit ruled, the claim could not be dismissed as an unfair trade practice.117 In TJX, the retail seller and its bank allegedly had made negligently false "implied representations" that they had implemented industry security measures required by industry practice, and then failed to announce a third-party intrusion into the retailer's electronic data system until a month after the security breach was discovered.118 The plaintiffs in TJX were the banks who had to reimburse consumers for resulting fraudulent transactions.119 The First Circuit treated their claim as an unfair trade practices claim and ruled that the claim could not be dismissed because of both "general FTC factors" and the "more precise precedents."120
The relevance of "general FTC criteria" or "general FTC factors" is that both the Maine and Massachusetts statutes instruct the courts to be "guided by" the Federal Trade Commission's interpretations of a comparable federal statute, 15 U.S.C. § 45(a)(1) ("Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.").121 The "more precise precedents" that the First Circuit referred to were "the host of FTC complaints and consent decrees condemning as `unfair conduct' specific behavior similar to that charged by plaintiffs."122 According to the FTC's website, the FTC has brought over twenty complaints "charging companies with security deficiencies in protecting sensitive consumer information."123 The FTC has brought these complaints against many types of corporations, including several retailers, alleging that they failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information stored on computer networks, in violation of the Federal Trade Commission Act, 15 U.S.C. § 45.124 The First Circuit said that the "FTC precedent and factors" are "ordinarily instructive rather than conclusive," but also said that "[w]here, as here, a substantial body of FTC complaints and consent decrees focus on a class of conduct, it is hard to see why a court would choose flatly to ignore it."125 I conclude that the FTC interpretations, as recognized by the First Circuit in the Massachusetts case, support accepting the allegations here as stating a claim under Maine's UTPA.
(4) Cognizable Injury
I have concluded above that three claims survive under current Maine law. But there is an additional requirement for a lawsuit to proceed: a plaintiff must have suffered an injury for which Maine law will grant relief, in this case either damages or injunctive relief. (For the UTPA claim, the requirement is a "loss of money or property," and that there be "actual damages,"126 a standard that the Law Court has interpreted to require a "substantial injury," so as "to weed out `trivial or merely speculative harms.'"127) Hannaford says that the plaintiffs have alleged no damages that Maine law recognizes or any injury that would support an injunction. The consumer plaintiffs disagree. I examine the plaintiffs' asserted injuries in categories.
(A) Consumer plaintiffs who never had fraudulent items posted to their accounts.
I conclude first that consumers who did not have a fraudulent charge actually posted to their account cannot recover.128 Without an actual fraudulent posting, these consumers have only the emotional distress that their accounts might be in peril.129 That does not satisfy the UTPA's requirement of loss of money or property,130 and it does not suffice for breach of contract or negligence for reasons I will describe.
For breach of contract, Maine law is very restrictive on recovery of emotional distress damages: "The general rule is that damages for emotional distress as a result of a breach of contract are not recoverable."131 The "few limited exceptions" are "breaches of contracts between carriers and innkeepers and their passengers and guests; contracts for the carriage and proper disposition of dead bodies and; contracts for the delivery of messages concerning death."132 Maine's Law Court has explicitly refused to extend the exception even to breach of a fiduciary relationship because it "would all but swallow the rule."133 The claim for breach of implied contract here fits none of the recognized exceptions. Therefore, emotional distress damages are not recoverable on the plaintiffs' claim for breach of implied contract.
For tort recovery,134 if the plaintiff can otherwise recover damages,135 Maine law generally does allow emotional distress damages as well: "We have long allowed recovery for `mental anguish and loss of enjoyment of life' in most tort actions.'"136 But Maine's Law Court has also recognized that "there can be no recovery for emotional harm ... in a few limited instances, such as negligent misrepresentation claims."137 That is because the claims there are "essentially economic in nature and serve to protect economic interests."138 That reasoning fits this case exactly; the loss here is an economic loss.
I conclude, therefore, that Maine law does not allow emotional distress damages in this economic loss case. On that same basis, the preventive expenses and time that the plaintiffs say they spent to resolve their emotional distress by protecting their accounts also are not recoverable. (This reasoning applies to emotional distress damages in all categories of loss.)
(B) Consumer plaintiffs with fraudulent charges that have not been reversed or reimbursed.
One plaintiff only, Pamela LaMotte, asserts that there are fraudulent charges on her account that, to date, her card-issuing bank has refused to remove, and that she has had to pay them.139 Hannaford argues that I should not consider these charges a cognizable injury because, under typical credit or debit card agreements, the issuing bank agrees to remove fraudulent charges.140 The plaintiffs respond that Hannaford as a wrongdoer (assuming that the plaintiffs prove negligence) cannot take advantage of the fact that Ms. LaMotte may also have a claim for recovery against her bank.141
I conclude that the plaintiffs are correct. If Hannaford's negligence has caused fraudulent postings to Ms. LaMotte's account that have not been corrected, her ability, if any, to sue her bank under her credit or debit card contract does not eliminate Hannaford's potential liability to her. I see no Maine law that holds otherwise. Under the UTPA also, she has incurred a "loss of money or property." Therefore, Ms. LaMotte's claim may proceed.142
(C) Consumer plaintiffs with fraudulent charges that were reversed and are no longer outstanding.
Other plaintiffs allege that fraudulent items were posted to their accounts as a result of the Hannaford data breach, but they do not claim that they have had to pay these amounts or that they remain outstanding. (Presumably, therefore, the issuing banks have reversed the fraudulent postings.) Nor do any of these named plaintiffs claim specific expenses incurred to remove the fraudulent charges.143 These plaintiffs claim consequential losses, however, such as overdraft fees or a bank loan to cover them, a fee for insisting on changing an account when the issuing bank thought it was unnecessary, a fee for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, time spent in persuading the issuing bank to reverse an item or in contacting multiple pre-authorized payees, temporary lack of access to funds and inability to use the card, a canceled hotel reservation when a card was canceled, the necessity for a family loan (no interest is alleged), and the cost of identity theft insurance.
I conclude that none of these are recoverable damages under Maine law because they are too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a "substantial injury"). Under the Maine cases, for both tort and contract recovery, "the fundamental test is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability."144 And speculative damages are not recoverable.145
First, there is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence. Maine law requires that there be a way to attach a monetary value to a claimed loss.146 These fail that requirement. The same is true for a consumer's temporary lack of access to funds or credit, the annoyance of a canceled hotel reservation, and the embarrassment or annoyance of obtaining a family loan.
Second, the claimed overdraft fees or loan interest to pay them are remote and not reasonably foreseeable at the time of the point-of-sale transaction. They would occur only for customers who were already near their maximum account limits or where the thieves used large (or a multitude of recurrent) charges without the fraud being discovered. Most of the plaintiff consumers here have not alleged that they incurred such fees. The same is true for fees that other merchants allegedly charged when a customer changed his or her bill-paying arrangement because of the data theft.
Third, there is no allegation to justify the claim for identity theft insurance premiums. Nothing in the Consolidated Complaint suggests any risk of identity theft from the theft of card data that did not include personally identifying information.147 Similarly, there is no allegation to justify the claim for fees to open a new account when the issuing bank said it was unnecessary. That is a prophylactic measure chosen by the customer in an abundance of caution, not in the face of any meaningful risk, and is therefore too remote to qualify as recoverable damage.
Fourth, the loss of accumulated reward points upon a change of accounts is not reasonably foreseeable. It is not apparent why an issuing bank would refuse to honor a cardholder's entitlement to accumulated points. That consequence was not reasonably foreseeable to Hannaford.
Fifth, the inability to earn reward points while obtaining a new card is too remote to justify a damage award. That consequence results from a coincidence of travel plans or a particular purchase that happened to fall in the precise window between accounts, and an apparent arbitrary unwillingness of the issuing bank to permit the cardholder to apply the points to the new account. Undoubtedly it was disappointing and annoying to that cardholder, but it was not a foreseeable consequence of Hannaford's alleged negligence.
(D) Injunctive Relief
The injunctive relief requested for these named plaintiffs is a court order to Hannaford requiring that Hannaford tell the plaintiffs "exactly what private and confidential financial and personal information... was exposed to theft and was, in fact, stolen"; and to provide credit monitoring for them going forward.148 But all of these named plaintiffs have already cancelled their compromised cards, so they individually have no need for such an injunction.149
Recurrent reports about breaches of electronic data systems—of governmental agencies, the nation's utility grid, merchants or other institutions—have generated increased apprehension, as consumers learn that the convenient card-based alternatives to cash turn out to have their own risks. This is not the first lawsuit over who bears the risk of electronic data theft,150 and it certainly will not be the last.
I make no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers. Such a decision involves complex arguments regarding the adequacy of current consumer protection, efficient risk allocation, the economics of doing business, and the efficacy of lawsuits as a way to resolve such issues. Nor do I determine whether the Maine Law Court should develop Maine common law to address these issues differently.151 I merely conclude that under current Maine law, consumers whose payment data are stolen can recover against the merchant only if the merchant's negligence caused a direct loss to the consumer's account.
The defendant's motion to dismiss is GRANTED as to the claims of all consumer plaintiffs but Pamela LaMotte. It is also GRANTED as to Pamela LaMotte on all counts except I, VI and VII. Ms. LaMotte may proceed on her claims for breach of implied contract, negligence, and an unfair or deceptive act or practice under Maine's UTPA.152
The Clerk's Office shall mail a copy of the Consolidated Complaint to the Maine Attorney General so as to comply with 5 M.R.S.A. § 213(3).
Counsel shall contact the Clerk's Office to arrange for a scheduling conference to be held in about 30 days.