Sunday, April 6, 2008

Hannaford Data Exposure Suit

In a development that can be expected to surprise no one, yet another merchant has announced that a security breach has resulted in the exposure of consumer data. The breach is described in this article from Computer World, as well as this article from the E-Commerce Times. The basic outline of the story is that Hannaford Bros. Co., a Maine based supermarket chain, had their servers compromised by malware which ended up leading to the exposure of somewhere north of 4 million debit and credit card accounts. Now that the breach has surfaced, the inevitable class action suits have been filed in federal court in Maine. While I don't have the facts necessary to comment on the merits, there are a few aspects of this case that could set it apart from the run of the mill data exposure suit. First, according to the E-Commerce Times article, nearly 2000 cases of fraud have been traced to the breach. This, obviously, be helpful to the plaintiffs, as it will help show actual damages, which have often been a stumbling block in similar cases. The second interesting aspect of this case is that Hannaford, rather than being a poster child for bad security practices a la TJX, was apparently in compliance with the PCI standards when the breach took place. This, obviously, could be helpful to the defendants, who could use their compliance with the PCI standards to rebut charges of negligence.

In any case, as I mentioned previously, I don't have the facts necessary to comment on the merits of the case. However, it seems that there are things to be said for both parties, which could make this an interesting case which could help provide guidance for both plaintiffs and defendants in future data exposure cases.

No comments: