Plaintiffs seeking to pursue negligence claims for the disclosure of their personal information in a data breach often face hurdles in pleading a sufficient injury. The claimants’ failure to plead a sufficient injury frequently is the basis for dismissal. However, in a very interesting recent decision, the Georgia Supreme Court reversed the intermediate appellate court’s affirmance of the dismissal of the plaintiffs’ data breach claims, finding that the claimants had sufficient standing to assert their claims where they alleged that the disclosure of their personal information left them at an “imminent and substantial risk of identity theft.” As discussed below, the Court’s holding arguably makes data breach claims under Georgia law less susceptible to dismissal. However, as also discussed below, there are important limitations to the Court’s holding.
The Georgia Supreme Court’s December 23, 2019 decision in Collins v. Athens Orthopedic Clinic, P.A. can be found here.
Background
In June 2016, a hacker stole personal identifiable information (including social security numbers, addresses, birth dates, and health insurance information) of at least 200,000 current and former patients of the Athens Orthopedic Clinic. The hacker demanded a ransom, but the clinic refused to pay. In the subsequent lawsuit, the plaintiffs alleged that the hacker offered some of the stolen data for sale on the “dark web” and that some of the information was made available on Pastebin, a data-storage web site.
Three of the patients whose data was compromised initiated a class action for damages against the clinic, alleging negligence, breach of contract, and unjust enrichment. The plaintiffs alleged that their personal data had been “comprised and made available to others on the dark web” and that “criminals are now able to assume Class Members’ identities.” The named plaintiffs claimed they had spent time calling credit reporting agencies and placing fraud or credit alerts on their credit reports. At least one of the named plaintiffs claimed she had experienced fraudulent activity on her credit card shortly after the breach. The complaint alleges further that “even Class Members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.”
The Clinic moved to dismiss the complaint, which the trial court granted. The plaintiffs appealed the dismissal to the intermediate appellate court. The Court of Appeals affirmed the trial court’s dismissal, concluding that “the fact of compromised data is not a compensable injury by itself in the absence of some loss or damage to the plaintiff’s legally protected interest as a result of the alleged breach of a legal duty,” and therefore the plaintiffs do not “allege a legally cognizable injury.” The plaintiff’s filed a writ of certiorari to the Georgia Supreme Court, which the Court granted.
The December 23 Opinion
In a December 23, 2019 opinion written by Justice Nels Peterson for a unanimous panel, the Georgia Supreme Court reversed the intermediate appellate court and remanded the case for further proceedings.
In reversing, the Court noted first that the authorities on which the intermediate appellate court had relied in dismissing the plaintiffs’ complaint were all in procedural contexts other than a dismissal motion, as was the case here. The Court noted that on a motion to dismiss, the plaintiffs’ allegations must be taken as true (which is not the case in other procedural circumstances).
Here, the Court noted, the plaintiffs had alleged that the “criminals are now able to assume their identities fraudulently and that the risk of such identify theft is ‘imminent and substantial.’” This, the Court said, “amounts to a factual allegations about the likelihood that any given class member will have her identify stole as a result of the data breach.”
The Court also emphasized important factual differences between this case and the decision on which the intermediate appellate court relied; in the cases on which the Court of Appeals relied, there was no reason to believe that the data in question had fallen into criminal’s hands.
Here, the Court said, “plaintiffs allege that their data was stolen by a criminal whose alleged purpose was to sell their data to other criminals.” The court noted other differences as well, including the fact that the plaintiffs here had alleged that the thief had actually offered some of the data for sale, and that “the class members now face ‘the imminent and substantial risk’ of identity theft given criminals’ ability to use the stole data to assume the class members’ identities.”
The Court said that “assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” Thus, the Court said, “we are much further along in the chain of inferences that one must draw in order to conclude that the plaintiffs here likely will suffer identity theft.”
There are important limitations in the Court’s opinion. The Court said that while showing injury in a case like this, where the data exposure occurs as a result of an act by a criminal motivated to sell the data to others, may be “easier,” that easier showing of injury “may well be offset by a more difficult showing of breach of duty.” The court expressly stated that it leave the discussion of legal duty “for another day.” The Court also noted in a footnote that “proving that plaintiffs injuries were proximately caused by the breach may also be more difficult.”
In conclusion, the Court said with respect to these plaintiffs allegations that, construing them in the light most favorable to their case, “we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the claim.” The plaintiffs’ allegations of data theft by a criminal enabling criminals to assume their identities “raise more than a mere specter of harm.” These allegations the Court said “are sufficient to survive a motion to dismiss.”
The Court’s conclusions in that regard do not depend on the allegations that the plaintiffs incurred costs mitigating the effect of the breach or that one of the named plaintiffs had allegedly experienced actual identity theft; “their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation.”
Discussion
Consumer plaintiffs asserting tort claims for the compromise of their personal information as a result of a data breach have struggled to allege an injury that courts have found sufficiently legally cognizable in order to state a claim for damages. As a result courts frequently dismiss these kinds of claims, as indeed the trial court did here.
What makes this case interesting and potentially significant is that the Georgia Supreme Court said that it is sufficient in order to state a claim for the claimants to allege that the theft of their personal data left them at imminent and substantial risk of identity theft. In other words, the risk of future harm, if sufficiently imminent, is sufficient to state a claim. Indeed, the court went out of its way to emphasize that it was not basing its conclusion in that regard on the fact that one of the named plaintiffs apparently had suffered a form of identity theft (fraudulent credit card use).
There are some specific aspect of this case that arguably could limit its application to other situations. Here, the plaintiffs not only alleged theft of their personal data, but alleged further that some of the class members’ data had already been offered for sale on the dark web. As the Court noted, these allegations put his case “much further along in the chain of inferences” necessary for the Court to conclude that there is sufficient risk of identity theft. These allegations “raise more than the mere specter of harm.”
Not all prospective claimants seeking to assert negligence claims under Georgia law relating to data theft will be able to muster allegations sufficient to put themselves similarly further along the chain of inferences.
As the Kilpatrick Townsend law firm noted in its January 13, 2020 memo about the Georgia Supreme Court’s decision (here), allegations of an imminent risk of identity theft many not be enough to establish injury “where less sensitive data is taken and where there is no allegations identifying who perpetrated the hack or what the hacker planned to do with the sensitive data.”
There are also the other possible pleading challenges for prospective data breach claimants that the Court identified in its opinion. The Court clearly pointed the way for defendants to argue that data breach claimants have not sufficiently alleged a legal duty or a breach of that duty, and also to argue that the alleged harm was not proximately caused by the alleged breach. The Court’s opinion seems to be laying out these issues as the place where future battles may be — and likely will be – waged.
All of that said, it should not be overlooked that the highest court of a state has said that a data breach claimant can state a claim for negligence without alleging actual injury by raising allegations sufficient to support a claim that the loss of data has left them at “imminent and substantial risk” of identity theft. This development could provide a substantial boost for data breach claimants seeking to assert claims for negligence under Georgia law.
One final note. I think it is interesting that this sequence of events involved at the very beginning the hacker’s demand for a ransom, which the clinic refused to pay. Others can debate whether or not defiance of a ransom demand is or is not the right response. However, it does seem possible that many of the vulnerabilities the class members now face arguably could have been avoided if the clinic had not resisted the ransom demand. Which certainly begs the question about what the right response is to a hacker’s ransom demand.
Call for More of Readers’ Top Travel Pics: I hope that everyone is aware that I have been publishing readers’ top 2019 travel pics. The pictures so far have been great. I have received some more readers’ pictures but not quite enough for an entire separate post. It would be great if a few more readers could send in their travel pictures, to help fill out another post! Send those pictures in!