Court of Appeals Affirms Dismissal of Class Action Data Breach Case

Written by: Richard Sheinis, Esq.

The Georgia Court of Appeals recently held the line against data breach cases when it affirmed the dismissal of a class action against the Georgia Department of Labor.¹⁾  Thomas McConnell had filed a class action against the Georgia Department of Labor after a department employee sent a spreadsheet with the name, Social Security number, home phone number, email address and age of over 4,000 Georgians, to approximately 1,000 of the Georgians on the list.  McConnell filed a class action alleging negligence by the Department in disclosing personal information, invasion of privacy, and breach of fiduciary duty. He sought damages for the fee he paid to “Life Lock” for credit monitoring and identity protection services, and the fear and anxiety of potential identity theft in the future. He did not allege that anyone had used his information improperly, or that identity theft had occurred.

The Court of Appeals found that Georgia law did not impose a duty to safeguard and protect the personal information of individuals. Georgia only has a breach notification statute requiring notification of individuals for certain types of data breaches.  Since the Department of Labor did not have a duty to protect McConnell’s personal information, there was no violation of a duty, and therefore no negligence.  Similarly, the court found that the disclosure of McConnell’s information was not an invasion of privacy because the possibility that the disclosure of his personal information could result in identity theft, credit card fraud, or other offenses that might damage McConnell personally and financially, did not intrude into McConnell seclusion, or disclose embarrassing private facts.

Despite this loss, there is no doubt that plaintiff’s attorneys will continue to search for legal theories to support  lawsuits based on  data breaches.  As an aside, I will note that Georgia currently has a very weak breach notification statute. It only requires notification for breaches of a government agency, or an entity that collects personal information for the purpose of furnishing that information to 3^rd parties, i.e., credit reporting agencies.  In January 2016, the Georgia “Personal Data Security Act” was introduced in the Georgia Senate in an effort to strengthen George’s breach notification law. This legislation would have also required entities to maintain “reasonable” safeguards to protect and secure personal information, thereby imposing a duty to prevent data breaches. The legislation, however, did not get very far in the Senate, and has not become law.