Plaintiffs appeal from the dismissal of their Maine state law claims arising out of the unauthorized use of their credit and debit card data after hackers breached the electronic payment processing system of defendant Hannaford Brothers Co., where plaintiffs had shopped for groceries and used those cards.
The district court determined that plaintiffs failed to state a claim under Maine law for breach of fiduciary duty, breach of implied warranty, strict liability, and failure to notify customers of the data breach. Although the district court concluded that the plaintiffs adequately alleged breach of implied contract, negligence, and violation of the unfair practices portion of the Maine
*154
Unfair Trade Practices Act (UTPA), the district court dismissed those claims because it determined the plaintiffs’ alleged injuries were too unforeseeable and speculative to be cognizable under Maine law.
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.,
We affirm in part and reverse in part. We affirm the district court’s dismissal of all claims other than the plaintiffs’ negligence and implied contract claims. We reverse the district court’s dismissal of the plaintiffs’ negligence and implied contract claims as to certain categories of alleged damages because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable harm under Maine law.
I.
The facts as alleged by plaintiffs in their consolidated putative class action complaint are as follows.
Hannaford is a national grocery chain whose electronic payment processing system was breached by hackers as early as December 7, 2007. 1 The hackers stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes, but did not steal customer names. On February 27, 2008, Visa Inc. notified Hannaford that Hannaford’s system had been breached. Hannaford discovered the means of access on March 8, 2008, and contained the breach on March 10, 2008. Hannaford gave notice to certain financial institutions on March 10, 2008. On March 17, 2008, “Hannaford publicly announced for the first time that between December 7, 2007 and March 10, 2008, the security of its information technology systems had been breached, leading to the theft of as many as 4.2 million debit card and credit card numbers belonging to individuals who had made purchases at more than 270 of its stores.” It also announced “that it had already received reports of approximately 1,800 cases of fraud resulting from the theft of those numbers.” The unauthorized charges originated in locations across the globe, including New York, Spain, and France.
Following Hannaford’s announcement, some financial institutions immediately cancelled customers’ debit and credit cards and issued new cards, while others did not do so, telling the cardholder they wished to wait for evidence of unauthorized activity before taking action. Further, as alleged in the complaint, “financial institutions who did not immediately cancel customers’ cards monitored customer accounts for unusual activity and cancelled cards immediately upon being aware of apparent fraudulent charges or attempts to make apparently fraudulent charges, in many cases, without the knowledge of the customer.” Additional “customers suffered unauthorized charges to their debit card and credit card accounts.” Moreover, “customers who requested that their cards be cancelled were required to pay fees to issuing banks for replacement cards” and “customers purchased identity theft insurance and credit monitoring services to protect themselves against possible consequences of the breach.”
*155 The Judicial Panel on Multidistrict Litigation consolidated twenty-six separate suits against Hannaford arising out of the breach into one lawsuit in the District of Maine. The consolidated complaint alleged that at least fourteen of the named plaintiffs actually had unauthorized charges charged against their accounts. Seventeen of the named plaintiffs had their cards cancelled by the bank, and two named plaintiffs requested that their issuers give them replacement cards.
The plaintiffs alleged seven causes of action: (1) breach of implied contract; (2) breach of implied warranty; (3) breach of duty of a confidential relationship; (4) failure to advise customers of the theft of their data; (5) strict liability; (6) negligence; and (7) violation of the Maine UTPA. Plaintiffs sought damages as well as injunctive relief in the form of credit monitoring and notification of precisely what information was stolen. Hannaford moved to dismiss all claims, and the parties agreed that Maine law would govern the dispute.
Plaintiffs allege that Hannaford customers, including the plaintiffs, experienced more than the 1,800 unauthorized charges to their accounts which were known to Hannaford when it made its announcement on March 17. Plaintiffs also plead that they experienced several categories of losses said to be compensable damages for those plaintiffs who incurred them, including the cost of replacement card fees when the issuing bank declined to issue a replacement card to them, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. In addition, they claim damages for the purchase of identity theft/card protection insurance and credit monitoring services.
In a carefully reasoned opinion, the district court granted Hannaford’s motion to dismiss as to twenty of the twenty-one named plaintiffs.
2
In re Hannaford,
For these three surviving claims, the district court concluded that dismissal depended on whether the plaintiffs’ alleged injuries as pled were cognizable under Maine law. Id. at 131. To make this determination, the district court divided the plaintiffs into three categories. Id. at 131-35. The district court determined that the first category, composed of plaintiffs who did not have fraudulent charges posted to their accounts, could not recover because their claims for emotional distress are not cognizable under Maine law. Id. at 131-33. The district court concluded that the second category, composed of the single plaintiff whose fraudulent charges *156 had not been reimbursed, could recover for her actual financial losses. Id. at 133.
As to the third category, composed of plaintiffs whose fraudulent charges had been reimbursed, the district court determined that their alleged consequential losses were “too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a ‘substantial injury’).” Id. at 134. In particular, the district court explained, the claimed overdraft fees, loss of accumulated reward points, and loss of opportunities to earn reward points were not foreseeable at the time of sale. Id. at 134-35. Further, the district court determined that there was no way to value or compensate the time and effort that consumers spent to reverse or protect against losses, and that there was no allegation to justify the claim for identity theft insurance since no personally identifying information was alleged to have been stolen. Id. As a result, the district court determined that this third category of plaintiffs could not recover.
Finally, the district court denied the plaintiffs’ requested injunctive relief because the named plaintiffs had already cancelled their compromised cards. Id. at 135.
After the district court ruling, the plaintiffs moved to certify several questions 3 to the Maine Supreme Judicial Court (the “Law Court”). The district court certified two questions:
(1) In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?
(2) If the answer to question # 1 is yes under a negligence claim and no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purely economic harm absent personal injury, physical harm to property, or misrepresentation?
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.,
In light of the Law Court’s opinion, the district court ordered the parties to show cause why judgment should not be entered in favor of Hannaford on all claims. The parties offered no response and the district court entered judgment in favor of Hanna-ford.
Plaintiffs have appealed the district court’s decision regarding the fiduciary duty, breach of implied contract, negligence, and Maine UTPA claims. Hanna-ford has cross-appealed from the district court’s determinations that the plaintiffs had adequately pled a basis for an implied contract of reasonable care apart from any tort duty, and that a private remedy under the Maine UTPA might lie even absent a loss resulting from the purchase of a consumer good or service.
II.
We review de novo the grant of a motion to dismiss, “accepting as true all well-pleaded facts, analyzing those facts in the light most hospitable to the plaintiffs theory, and drawing all reasonable inferences for the plaintiff.”
United States ex rel. Hutcheson v. Blackstone Med., Inc.,
A. Failure to State a Claim, as to Theory of Cause of Action
1. Fiduciary/Confidential Relationship
Plaintiffs argue that Hannaford owed a fiduciary duty to protect their credit and debit card data, which it breached. Although plaintiffs concede that the basic grocery purchase transaction does not give rise to a fiduciary relationship, they argue that a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information.
We agree with the district court that the plaintiffs’ facts do not make out a confidential relationship
4
with Hannaford and so Hannaford did not owe a fiduciary duty. To state a claim for fiduciary duty under Maine law, a plaintiff must: (1) allege “the actual placing of trust and confidence” in the defendant; (2) “show that there is some disparity in the bargaining positions of the parties;” and (3) show “that the dominant party has abused its position of trust.”
Leighton v. Fleet Bank of Me.,
First, the plaintiffs have not shown the “trust and confidence” contemplated by Maine confidential relationship cases. Under Maine law, a “fiduciary relationship has been described as ‘something approximating business agency, professional relationship, or family tie impelling or inducing the trusting party to relax the care and vigilance ordinarily exercised.’ ”
Bryan R. v. Watchtower Bible & Tract Soc. of N.Y., Inc.,
Second, the plaintiffs have not pled facts demonstrating disparate bargaining power between the plaintiffs and Hannaford. In the commercial context, the Maine Law Court has required an especially heightened disparity of power. The plaintiffs must allege “diminished emotional or physical capacity or ... the letting down of all guards and bars.”
Stewart,
Third, the plaintiffs fail to allege facts demonstrating that Hannaford abused a position of trust. Under Maine law, breach of fiduciary duty claims typically require a showing that the dominant party used its position of trust to obtain something from the subordinate party, “acquiring rights in that [property] antagonistic to the person with whose interests he has become associated.”
Wood,
2. Implied Contract
Hannaford cross-appeals from the district court’s determination that plaintiffs have made out a claim for an implied contract.
5
Under Maine law, a “contract includes not only the promises set forth in
*159
express words, but, in addition, all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and the circumstances under which it was made.”
Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach,
The district court correctly concluded that a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people’s purchases, would not sell the data to others, and would take reasonable measures to protect the information.
In re Hannaford,
3. Maine Unfair Trade Practices Act, Me.Rev.Stat. tit. 5, §§ 205-A to 211
The district court held that the plaintiffs’ allegations stated a claim under the Maine UTPA that Hannaford’s failure to disclose the data theft promptly, and possibly its failure to maintain reasonable security systems, was unfair and deceptive. Id. at 128-31. Nonetheless, the district court concluded that the claim failed because the plaintiffs did not allege substantial loss. Id. at 134. We agree that the plaintiffs’ claim fails, but for different reasons.
Section 207 of the Maine UTPA, entitled “Unlawful Acts and Conduct,” provides that “[ujnfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful.” Me.Rev.Stat. tit. 5, § 207. Under the statute, in defining whether a practice is unlawful, the Maine legislature directed that guidance be sought from the interpretations of the Federal Trade Commission Act (FTCA). Id. § 207(1) (“It is the intent of the Legislature that in construing this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 45(a)(1) of the Federal Trade Commission Act (15 U.S.C. § 45(a)(1)), as from time to time amended.”).
The Maine courts have looked generally to the FTCA to determine whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to com
*160
petition.”
Searles v. Fleetwood Homes of Pa., Inc.,
Further, “[i]n determining whether an act or practice is unfair,” Maine courts “consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” Id. (quoting 15 U.S.C. § 45(n)) (internal quotation marks omitted).
The Maine UTPA provides for two different enforcement mechanisms: enforcement by the state’s Attorney General, Me. Rev.Stat. tit. 5, § 209, and a private cause of action, id. § 213. The Attorney General may seek injunctive relief and may also seek civil penalties for violation of the injunction, including restoration to private individuals of any ascertainable loss. Id. § 209. The issue here concerns the limits for private causes of action.
Section 213, entitled “Private Remedies,” as amended in 1991, provides a private cause of action under the statute:
Any person who purchases or leases goods, services or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of mdney or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 207 or by any rule or regulation issued under section 207, subsection 2 may bring an action either in the Superi- or Court or District Court for actual damages, restitution and for such other equitable relief, including an injunction, as the court determines to be necessary and proper.
Id. § 213(1).
The text requires that the plaintiff suffer a loss of money or property as a result of the unlawful act.
6
By virtue of a 1991 amendment, damages may be awarded, as well as restitutionary relief. By its literal terms, section 213 does not itself impose a substantial loss requirement, but the Maine Law Court has so interpreted the statute when considering section 207 in conjunction with section 213.
See McKinnon v. Honeywell Int’l, Inc.,
The parties actively dispute whether plaintiffs’ claims, viewed individually, make out substantial injury, or whether, given the nature of the event, plaintiffs’ claims of harm may be viewed as a collective whole as to substantial injury. In
Tungate v. MacLean-Stevens Studios, Inc.,
the Law Court said that “[t]he substantial injury requirement is designed to weed out ‘trivial or merely speculative harms.’ ”
What is clear is that the Maine courts have consistently read the private right of action provision of the UTPA narrowly.
*161
See, e.g., McKinnon,
In the seminal case interpreting the private right of action provision of the Maine UTPA, the Law Court in
Bartner v. Carter
pointed out that “[i]n a private suit, the requirement of loss to the plaintiff consumer resulting from defendant’s wrongful act unavoidably limits” both the scope of section 207 and the use of the FTCA and its interpretation.
Pertinently, the court also pointed out, in discussing the restrictions on recovery in private actions under section 213, that “[cjommon law actions for negligence and breach of warranty are available in appropriate cases for non-restitutionary damages in situations where personal injuries or damages to property have occurred.” Id. at 203.
It seems unlikely to us that Maine would permit plaintiffs, in cases also pleading that the same acts constitute negligence and breach of implied contract, to use the private action provision of the UTPA to recover types of damages which Maine has decided are not reasonably foreseeable or barred for policy reasons when asserted under implied contract, negligence, or other theories. In
Searles,
the Law Court was explicit that public policy considerations factor into interpretation of the UTPA.
See
*162 B. Failure to Allege Cognizable Injury
To summarize, plaintiffs’ claims under the Maine UTPA and for a breach of fiduciary relationship fail, but plaintiffs have adequately alleged at least theories of negligence and breach of implied contract. That a general theory of recovery has been adequately pled does not, though, resolve the next question of whether the particular types of damages alleged are recoverable under those theories. We draw a distinction for our analysis among plaintiffs’ various claims of damages between those which are best characterized as mitigation costs and those which are not.
1. Mitigation Damages: Card Replacement Costs and Credit Insurance
Under Maine negligence law, damages must be both reasonably foreseeable, and, even if reasonably foreseeable, of the type which Maine has not barred for policy reasons. Generally, under Maine law, “the fundamental test [for both tort and contract recovery] is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability.” Horton & McGehee,
Maine Civil Remedies
§ 4-3(b)(3) (4th ed. 2004). But liability in negligence also “ordinarily requires proof of personal injury or property damage.”
In re Hannaford,
Maine courts have weighed these considerations in the context of mitigation costs and determined that a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate,” regardless of whether the harm is nonphysical. In re Hannaford, 4 A.3d at 496. The Maine Law Court has expressly said so both in its response to the certified questions and in its decision to apply the Restatement (Second) of Torts § 919. The Restatement (Second) of Torts § 919 provides that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” Id. § 919(1). It is clear that, as a matter of policy, Maine law “encourages plaintiffs to take reasonable steps to'minimize losses caused by a defendant’s negligence.” In re Hannaford, 4 A.3d at 496. To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended. Id. at 496-97.
Maine has interpreted this “reasonableness” requirement for mitigation, judging whether the decision to mitigate was reasonable “at the time it was made.”
Marchesseault v. Jackson,
There is not a great deal of Maine law on the subject. And the Law Court’s decision on the certified question appears to be the first time the Maine courts have applied § 919 of the Restatement. So we turn to the decisions of other courts under the Restatement, which provide guidance for Maine.
See, e.g., Marchesseault,
The Seventh Circuit, for example, has held that under Restatement § 919 incidental costs expended in good faith to mitigate harm are recoverable — even if the costs turn out to exceed the savings.
See Toledo Peoria & W. Ry. v. Metro Waste Sys., Inc.,
In
Kelleher v. Marvin Lumber & Cedar Co.,
The Fourth Circuit has noted, applying Restatement § 919, that plaintiffs should not face “a Hobson’s choice” between allowing further damage to occur or mitigating the damage at their own expense.
Toll Bros., Inc. v. Dryvit Sys., Inc.,
In
Fogel v. Zell,
In a Massachusetts case,
Automated Do-nut Systems, Inc. v. Consolidated Rail Corp.,
The question then becomes whether plaintiffs’ mitigation steps were reasonable. This is a contextual question, depending on the facts. Like the district court, we will view all facts in the light most favorable to the plaintiffs.
This case involves a large-scale criminal operation conducted over three months and the deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their financial advantage. Unlike the cases cited by Hannaford, this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft, and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers’ accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.
Further, there is no suggestion there was any way to sort through to predict whose accounts would be used to ring up improper charges. By the time Hanna-ford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.
That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those banks thought the cards would be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment. That other financial institutions did not replace cards immediately does not make it unreasonable for cardholders to take steps to protect themselves.
It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data. 8 It is true that *165 the only plaintiffs to allege having to pay a replacement card fee, Cyndi Fear and Thomas Fear, do not allege that they experienced any unauthorized charges to their account, but the test for mitigation is not hindsight. Similarly, it was foreseeable that a customer who had experienced unauthorized charges to her account, such as plaintiff Lori Valburn, would reasonably purchase insurance to protect against the consequences of data misuse. 9
Hannaford opposes this conclusion and cites several cases from other jurisdictions holding, on the facts before them, that the costs of credit monitoring services and identity theft insurance are not cognizable injuries in negligence claims. 10 All of these cases are distinguishable on their facts.
Most of the cases involved theft of expensive computer equipment, rather than a sophisticated breach of electronic data.
See Ruiz v. Gap, Inc.,
Another of the cases involved a computer hard drive that was inadvertently lost.
See Melancon v. La. Office of Student Fin. Assistance,
Only two of Hannaford’s cited cases involve a breach in which thieves accessed the plaintiffs’ data held by defendants.
See Pisciotta v. Old Nat’l Bancorp,
Hannaford also argues that even if these damages are cognizable in negligence, they are not cognizable in contract. In support of this argument, Hannaford cites the Maine Law Court’s statement, in its answer to the certified questions, that “contract damages are more restricted than compensatory damages for a tort.”
In re Hannaford,
2. Remaining Damages Claims
General principles of recovery in both contract and tort, which are not applicable to the mitigation damages we have discussed, do bar the plaintiffs’ remaining claims. The district court correctly concluded that the plaintiffs’ claims for loss of reward points, loss of reward point earning opportunities, and fees for pre-authorization changes were not recoverable.
12
These injuries were too attenuated from the data breach because they were incurred as a result of third parties’ unpredictable responses to the cancellation of plaintiffs’ credit or debit cards.
See Stubbs v. Bartlett,
III.
We conclude that the two forms of mitigation damages we have discussed are cognizable under Maine law and we reverse the district court’s dismissal of the plaintiffs’ negligence and implied contract claims as to those damages. We affirm the district court’s dismissal of the remaining claims. So ordered. No costs are awarded.
Notes
. Defendants Hannaford and Kash N' Karry Food Stores, Inc. (Kash N' Karry) are wholly-owned subsidiaries of defendant Delhaize America, Inc. At the time of the breach, Hannaford provided electronic payment processing services to Kash N’ Karry and to several independently owned stores. As provider of these services, Hannaford has agreed to assume the liability of Kash N’ Karry, Delhaize, and any such independently owned stores. We refer to all of these entities as Hannaford.
The putative class period is from December 7, 2007 to March 10, 2008.
. The district court held that plaintiff Pamela LaMotte could proceed beyond the pleading stage because she was the only plaintiff to allege unreimbursed fraudulent charges to her account.
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.,
. The plaintiffs moved to certify four questions: (1) whether an implied contractual term can be limited to reasonable care; (2) whether the use of credit and debit cards in merchant transactions creates a fiduciary duty; and whether time and effort alone constitute (3) cognizable injury under the common law; or (4) a substantial injury under the Maine UTPA.
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.,
. It is important to note for terminology purposes that under Maine law, a "fiduciary relationship is the same as a confidential relationship, which gives rise to the same duties.”
Stewart v. Machias Sav. Bank,
. Hannaford also argues that the implied contract claim must fail because it is redundant with the plaintiffs’ claim for negligence. Hannaford did not make this argument to the district court, so it is waived.
See Lamex Foods, Inc. v. Audeliz Lebrón Corp.,
. Given our disposition, we do not reach Hannaford's argument on cross-appeal that there is an absence of loss resulting from the purchase of goods or services.
. We recognize that attorney's fees are available under the Maine UTPA "[i]f the court finds, in any action commenced under [section 213] that there has been a violation of [section] 207.” Me.Rev.Stat. tit. 5, § 213(2);
see also Beaulieu v. Dorsey,
. Under the Truth in Lending Act, 15 U.S.C. § 1643, and the Electronic Fund Transfer Act, 15 U.S.C. § 1693g, cardholders are liable for up to $50 in unauthorized charges, with the exception that under the Electronic Fund Transfer Act, a cardholder can be liable for up to $500 if the holder fails to report the fraud within two days.
It may be, as Hannaford suggests, that major card brands have instituted contractual zero-liability protection, with the result that customers are not liable for any amount of a fraudulent charge. But at the motion to dismiss stage, we cannot say that customers face no risk of even a $50 liability from unauthorized use. Nor is Hannaford's argument directly relevant: it does not change the fact
. Hannaford argues that because the plaintiffs allege no loss of personally identifying information, plaintiff Lori Valburn had no reasonable basis for purchasing “identity theft" insurance. The plaintiffs explain that “[a]l-though it was labeled 'identity theft insurance,' the product purchased by Ms. Valburn from Discover Card protected her against the consequences of misuse of the data that had been stolen including the losses and disruptions documented in the Complaint.” At the motion to dismiss stage, we draw all reasonable inferences in favor of the plaintiff, including the inference that the product purchased by plaintiff Valburn protected her against misuse of her stolen debit and credit card data.
. Hannaford also argues that allowing recovery for prophylactic measures such as identity theft insurance would provide incentives for the unnecessary purchase of such products. As we have discussed, however, such recovery is bounded by the principle of reasonableness; recovery is allowable only if the decision to purchase such a product was a reasonable effort to mitigate under the circumstances.
See Marchesseault v. Jackson,
. Several other courts, in cases not cited by Hannaford, have likewise concluded that where data is simply lost or misplaced rather than stolen, and no known misuse has occurred, plaintiffs may not recover damages including credit monitoring costs.
See McLoughlin v. People’s United Bank, Inc.,
No. 3:08-cv-00944(VLB),
. We reject the plaintiffs’ argument that the question of foreseeability vel non should have gone to the jury and the district court had no role to play. The district court was correct to consider initially foreseeability as a question of law. In addressing the certified questions, the Law Court indicated that some harms are too far attenuated as a matter of law to constitute cognizable injury in Maine.
See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.,