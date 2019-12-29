ATLANTA -- In what may be the first large data-breach case to reach the Georgia Supreme Court, the high court has ruled that patients of a Clarke County medical clinic whose computer databases were hacked may proceed with a lawsuit against the clinic.
With a unanimous ruling, written by Justice Nels S.D. Peterson, the Supreme Court has revived the plaintiffs’ lawsuit, which had been dismissed by an Athens-Clarke County trial court. The Georgia Court of Appeals upheld the dismissal, ruling that the cost of preventative measures such as credit monitoring and identity theft protection could not provide the basis for a lawsuit under Georgia law.
According to their complaint, the plaintiffs alleged that in June 2016, an anonymous hacker identified only as the “Dark Overlord” stole the personal data of at least 200,000 current and former patients of Athens Orthopedic Clinic, including Social Security numbers, addresses, birth dates, and health insurance details. Among the patients were the eventual plaintiffs in this case: Christine Collins, Paulette Moreland and Kathryn Strickland. After discovering the hack, the clinic refused to pay the ransom demanded by the hacker to unlock its databases. At least some of the stolen identity information was offered for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website.
After being notified of the breach in August 2016, Collins and the other plaintiffs sued the clinic, asking the Athens-Clarke County Superior Court to certify their lawsuit as a class action. In their suit, they alleged negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act (Georgia Code § 10-1-370).
They sought a declaratory judgment from the court requiring the clinic to take certain actions to ensure the future security of class members’ identity information. They also sought reimbursement for their legal costs, and they sought reimbursement for costs incurred and future costs that would be incurred for the purchase of credit monitoring and identity theft protection. Each plaintiff alleged that she had “spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.”
Collins also alleged that she had received fraudulent charges on a credit card shortly after the data breach and had to spend time getting the charges reversed by the credit card company. And their complaint alleged that, “Even class members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.” The clinic filed a motion asking the court to dismiss the lawsuit, and on June 26, 2017, the trial court granted the motion in a two-sentence order.
The plaintiffs then appealed to the Court of Appeals, the state’s intermediate appellate court. In June 2018, that court upheld the dismissal in a 2-to-1 ruling, finding that the plaintiffs’ failure to suffer an injury that could be legally compensated was fatal to some of their claims. In regard to the negligence and breach of implied contract claims, the majority noted that Collins had not alleged that her fraudulent credit card charges were caused by the data breach, and it concluded that the costs of prophylactic measures such as credit monitoring and identity theft protection are not recoverable damages and thus insufficient to state a claim that can be litigated in court under Georgia law.
The majority held that the declaratory judgment claim failed because the pleadings did not identify any dispute that a court declaration would resolve. The majority held that the claim under the Deceptive Trade Practices Act was properly dismissed because the plaintiffs did not allege any future, non-speculative harm that an injunction would remedy. And the majority held that the unjust enrichment claim failed because it was not pleaded as an alternate theory of recovery based on a failed contract.
Collins and the others appealed the ruling to the Georgia Supreme Court, which agreed to review the case to determine whether the Court of Appeals erred in affirming the dismissal of the lawsuit on the ground that the plaintiffs failed to allege a “cognizable injury.”
“We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable,” the Supreme Court opinion says. “Because the Court of Appeals held otherwise in affirming dismissal of the plaintiffs’ negligence claims, we reverse that holding. Because that error may have affected the Court of Appeals’ other holdings, we vacate those other holdings and remand the case.”
In reaching its conclusion, the Court of Appeals relied on inapplicable case law – specifically two of its own opinions that addressed the exposure of sensitive personal information – to conclude that “the fact of compromised data is not a compensable injury by itself in the absence of some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of a legal duty,” the opinion states. “But there are two fundamental differences between those cases and this one.”
For one thing, the key Georgia decisions relied on by the appellate court “were not issued in the context of a motion to dismiss.” In addition, the Court of Appeals’ prior cases “involved a sort of exposure of data fundamentally different than the actual data theft in this case.” In the prior cases, there was no reason to believe that the data in question had fallen into a criminal’s hands. Here, “plaintiffs allege that their data was stolen by a criminal whose alleged purpose was to sell the data to other criminals.” They allege that the thief demanded a ransom for the data’s return and that all class members face the “imminent and substantial risk” of identity theft.
“Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers,” the opinion says. “These allegations raise more than a mere specter of harm.”
Furthermore, recent “persuasive federal district court decisions applying Georgia law in similar cases are consistent with our conclusion that the plaintiffs have pleaded a legally cognizable injury here,” the opinion says. “Because the Court of Appeals erred in concluding that the trial court properly dismissed the plaintiffs’ negligence claims due to failure to plead a legally cognizable injury, we reverse that holding. Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case.”