Data security responsibilities are, at times, not met with the requisite level of diligence for compliance. Standards for compliance, for many businesses, institutions, and service entities, are not as specified as one would be drawn to believe. The disjuncture between responsibilities and efforts are becoming more evident with passing days as cyber incidents leave alarming concerns with consumers and business establishments.
Commonly prescribed is that personal data embedded in digital record transmissions must be transferred securely. However, the level of confidence that a service consumer, medical patient, loan customer, or even a student at an ATM demonstrates daily with their every swipe and approval is in the unseen information processing that the venue operates with, in order to provide the desired service. If that confidence is shaken with the notion that the private information is not being handled securely, the digital transactions will experience a hick-up and the public consumer will seek other means to transact, and back to cash and brick-n-mortar, we go. The integrity of the secure appearance of the merchant is held questionable and tenable.
At the point of transaction, the consumer is left with the confidence that the banking information provided to the institution is securely being transmitted and that the data is accurately being recorded, especially as balances are verified. But what if the measures are not followed by the merchant? How should a cyber incident be considered when negligence is involved in the cyber mishap? Who is to be held accountable for needing to demonstrate meeting the duty of care?
Negligence was an issue in In re Hannaford Bros. This Maine District Court case involved the data security incident arising from a third party stealing the consumer data from grocery transactions. The question raised in the case was whether a customer can recover from the grocer for loss resulting from the third party’s data theft? It is conceivable that from the consumer point of view there will be the tendency to enjoy the convenience of the digital transaction by use of credit card at a store. Yet, with the convenience, there is also the risk of fraud and misuse of the account information, i.e., PII. The average consumer believes that the law should address and protect their PII in circumstances where confidential information is stolen and allow for redress against the merchants and financial institutions. But how negligence should be analyzed in cyber incidents is a bouncing question dealt with traditional tort concepts of duty, breach, and causation with the ultimate tangible injury. Long have been the treatment of analysis under Article III to settle in each case the criteria of requisite case and controversy.
Negligence, however, seems to stand on an island in cyber incidents. To the individuals who have been affected by a cyber incident, the risk of fraudulent use of their account information is very real. So, the argument goes that the law should provide some form of protection. How that protection is conceived is still debatable. The grocery establishment in Hannaford Bros, typically argued that the law already provides protection to consumers by agreement. For instance, by the provision of the Electronic Fund Transfer Act, which limits a consumer’s liability for fraudulent debit card transactions to no more than $50 (or, if the consumer fails to notify his bank “within two business days after the consumer learns of the loss or theft,” no more than $500). 15 U.S.C § 1693g(a). Defendants usually argue that as well, the industry provides similar limits through contractual agreements with credit vehicles and associations such as Visa, MasterCard, etc. The store merchants will always seek to have the courts impose responsibility on the banks that issue the cards in order to facilitate any recourse to the consumer. So the cyber incidents that pertain to the misappropriation of digital transaction data pivot the consumer against the financial institutions to the liking of merchants or against the merchants to the liking of the financial institutions.
In the Hannaford case, the plaintiffs found themselves pivoted as such towards the merchant to determine the level care that the merchant undertook to care for the digital data of the credit and debit card transactions. The Plaintiffs argued that “… [they] made use of debit cards and credit cards issued by financial institutions to access their bank accounts or create credit relationships.” Furthermore, that the merchant “provided electronic payment services,” but failed “to maintain the security of private and confidential financial and personal information of … credit and debit card customers” at supermarkets in . . .” in several states, including Florida. Hannaford did not argue that it was not subject to a reasonable duty of care consideration, but what was pointed out was that it believed that it was not subject to an economic loss consideration arising out of the traditional personal injury and property damage considerations. The court stated that “in a grocery transaction where a customer uses a debit or credit card, a jury could find that there is an implied contractual term that Hannaford will use reasonable care in its custody of the consumers’ card data, the same level of care as the negligence tort . .” Hence, the conclusion was that consumers can recover when payment data are stolen, against a merchant, if the merchant’s negligence is the direct cause of the loss in the customer’s account. In this case, the negligence analysis was drawn to delineate breach of a duty of care and causation of the loss of data security.
In re Hannaford Bros. Co. MDL Docket No. 2:08-MD-1954. United States District Court, D. Maine. May 12, 2009.
 Personal Identifying Information