DATA BREACHES AND STANDING

Data Breach -Identity Theft

In Collins v. Athens Orthopedic Clinic, Case No. A18A0296 (decided June 27, 2018), the Georgia Court of Appeals addressed the issue of whether an individual whose personally-identifiable information (“PII”) was stolen from a business in a computer hack had standing to pursue damages claims against the business that was hacked.

The plaintiffs in the Collins case were current and former patients of the defendant clinic. A hacker had gained access to the clinic’s computers and stolen patient PII maintained in a clinic database. The hacker requested ransom from the clinic, which the clinic did not pay. The hacker allegedly offered for sale some of the PII on the “Dark Web.” Opinion, pp. 2-3. The plaintiffs alleged that the data breach had exposed them to the threat of identity theft. They had spent money placing fraud and identity alerts on their credit reports. One plaintiff alleged that fraudulent charges were made on her credit card, although she did not claim that those charges were the result of the data breach. Opinion, p. 3.

The plaintiffs filed a negligence action against the clinic. The court considered whether “prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach” were the type of loss or damage that would allow a negligence claim. Opinion, p. 6. A negligence claim required a financial or physical injury. The Court concluded that steps taken to address an increased risk of injury were not themselves an injury that would support a negligence claim. The Court relied on similar grounds to reject claims that the clinic was liable for breach of an implied contract to safeguard the PII and had violated Georgia’s Deceptive Trade Practices Act.

The decision is not binding precedent for subsequent cases, however, because one judge on the three-judge panel dissented. Therefore, this issue on data breaches certainly will come again before the Georgia appellate courts.

Data breaches are very much in the news. This case will help to shape the legal landscape faced by Georgians who are victims of a data breach.

The Opinion is available at https://efast.gaappeals.us/download?filingId=e523bed4-2151-417d-8479-f18ec24f19a3