The lawsuit, John Anderson et al vs. Hannaford Bros. Co., stems from a data breach at Hannaford that exposed 4.2 million credit and debit cards. The theft began in December 2007 but was not detected and disclosed by the company until March 2008. At the time of its disclosure, Scarborough, Maine-based Hannaford said it had detected about 1,800 of the compromised cards being used in a fraudulent manner. The company's disclosure prompted several issuing banks to cancel and reissue credit and debit cards as a precautionary measure against fraudulent use.

Hannaford's disclosure of the breach also prompted several consumer class-action lawsuits. In all, 26 of those lawsuits were consolidated into one lawsuit in the U.S. District Court for the District of Maine. The lawsuit charged Hannaford with breach of implied contract, negligence, violation of Maine's unfair trade practices statute and four other causes of action.

The district court, like several other courts in similar cases, dismissed all but one of the claims. The only complaint that was allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account after the Hannaford breach.

Consumers with no fraudulent charges posted to their accounts could not seek damages under Maine law; neither could those who might have had fraudulent charges on their accounts that were later reversed, the district court judge had ruled.

In its ruling last week, the appellate court agreed with the district court's decision on almost all counts. However, it held that consumers who paid for credit monitoring services or to get their banks to reissue cards as a proactive measure had a basis for making a claim against Hannaford.