PORTLAND, Maine (5/14/09)--A federal judge has dismissed all but one of the 21 consolidated civil claims filed against Maine-based grocer Hannaford Bros., whose security breach compromised four million debit and credit cards and caused hundreds of financial institutions--including credit unions--to reissue the cards. The claims, which alleged the supermarket failed to protect and notify consumers during the breach, were consolidated before the U.S. District Court in Portland, Maine. They sought damages for the loss of time, effort and incidental personal expenses in dealing with compromised accounts (Portland Press Herald and Computerworld May 13). U.S. District Court Judge Brock Hornby, in a 39 page decision, ruled that only consumers who were not reimbursed by their financial institutions for fraudulent charges on their accounts will be allowed to proceed with the lawsuit. One plaintiff, Pamela Lamotte of Colchester, Vt., was the only Hannaford shopper named in the complaint who suffered fraudulent charges that were not reversed by her bank. In dismissing the claims, Hornby said that without any actual and substantial loss of money or property, consumers could not seek damages. Under Maine law, he wrote, "consumers whose payment data are stolen can recover against the merchant only if the merchant's negligence caused a direct loss to the consumer's account." Also, consumers who might have had fraudulent charges on their accounts that were later reversed could not sue. He noted that three of the claims against Hannaford were valid under Maine law. When someone uses a debit or credit card in a grocery transaction, Hannaford should use reasonable care in protecting the card data, he wrote. Similarly, the company's apparent delay in disclosing the data breach constituted an unfair trade practice under Maine law, Hornby wrote. "A jury could find that, if Hannaford had disclosed the security breach immediately upon learning of it from Visa, customers would not have purchased groceries at its store with plastic" until the problem was corrected, the judge said. LaMotte will be able to proceed on her claims for breach of implied contract, negligence, and an unfair or deceptive act or practice under Maine law,Hornby said. The data breaches occurred between Dec. 7, 2007 and March 10, 2008. The breach was publicly announced the following March 17. By then, about 1,800 incidents of fraud had occurred. Credit unions in New England, New York and Florida were among the financial institutions that reissued cards for members whose accounts were compromised (News Now April 17, 2008).