It finally happened: In late June, the Georgia Court of Appeals issued an opinion squarely addressing the issues surrounding damages alleged by consumers after a data breach. But whether the opinion clarifies the arguments or further muddies the waters depends on who you ask.
Collins, et al. v. Athens Orthopedic Clinic was initiated in January 2017 as a putative class action following a large data breach affecting Athens Orthopedic Clinic. The data breach occurred about six months prior to the initiation of the suit when an anonymous hacker known only as the “Dark Overlord” acquired personally identifiable information pertaining to approximately 200,000 current and former AOC patients by using a third-party vendor’s login credentials.
Predictably, the hacker held the information for ransom. When AOC refused to pay, the hacker offered some of the information for sale on the Dark Web and made some of it temporarily available on Pastebin, a website used for storing text online.
Three AOC patients—Christine Collins, Paulette Moreland and Kathryn Strickland—alleged their personal information was stolen in the breach, exposing them to the threat of identity theft and other harm. While all three plaintiffs alleged they spent time and money placing fraud/credit alerts on their credit report, only one of the three plaintiffs—Collins—alleged that any fraudulent charges were made on her credit card.
The only damage alleged by plaintiffs was the cost of identity theft protection, credit monitoring and credit freezes to be maintained over the course of a lifetime. Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.
AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).
At the trial court, AOC’s motion to dismiss was granted, prompting plaintiffs to appeal. The appeal teed up an issue of first impression in Georgia: Does the alleged prophylactic cost anticipated or incurred to protect against the threat of identity theft after a data breach constitute damage sufficient to state a negligence claim in Georgia?
The court’s majority opinion: not if a plaintiff’s only alleged damages are based on a nebulous “increased risk of harm.”
The court determined that the plaintiffs in Collins are analogous to plaintiffs in toxic tort cases who claim costs associated with future medical monitoring as damages. Much like the plaintiffs in a toxic tort case, plaintiffs in a data breach case often are seeking to recover damages from a negligent act that allegedly puts them at an increased risk of future harm. And, much like in the toxic tort cases, the court determined that those damages are too speculative to support a negligence claim absent some indication that the data theft had caused or would eventually cause injury.
The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”
The trial court’s dismissal of plaintiffs’ complaint was affirmed.
That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.
First, the court made a specific point to note that, even though plaintiffs alleged that Collins suffered from fraudulent charges being made on her credit card—arguably providing the concrete harm the court was looking for they failed to allege that the charges were related to the data breach. The court dropped a footnote to make that point, which begs the question: Would the court have reached a different conclusion if plaintiffs had alleged a causal connection between the fraudulent charges and the data breach?
Second, Presiding Judge Christopher McFadden dissented from the majority’s opinion and indicated that he would have reversed the trial court and remanded the case. In his view, the court should have begun its analysis by examining standing as opposed to the merits. By applying U.S. Supreme Court precedent, which is frequently used to resolve standing issues in Georgia courts, McFadden focused on case law holding that an allegation of future injury may suffice to constitute an injury-in-fact “if the threatened injury is certainly impending or there is a substantial risk that the harm will occur.” He ultimately concluded that there was sufficient injury to support standing, because the plaintiffs alleged “imminent threat that their personal information will be used to their detriment.”
Overall, the court’s first foray into this issue indicates that it may be skeptical of future data breach claims premised solely on prophylactic costs. For those attorneys waiting for a Georgia appellate opinion on this issue, we finally have one. It does not end the debate surrounding consumer data breach damages—far from it, in fact—but at least it ends the court’s silence on this issue.
Amy L. Hanna Keeney of Adams and Reese is a licensed attorney in Georgia and Florida who has defended businesses in state and federal litigation throughout the Southeast. She has represented financial institutions in litigation matters as well as clients in matters involving alleged violations of federal consumer protection statutes.