Georgia Court of Appeals Makes First Foray Into Standing in Data Breach Suits

Written by: Sean Cox, Esq.

On June 26, 2017, the Georgia Court of Appeals issued an opinion in Collins, et al. v. Athens Orthopedic Clinic, A18A0296. This is the first Georgia appellate decision squarely addressing the issue of standing in a data breach case. Since the United States Supreme Court decision in Spokeo, Inc. v. Robins, 578 U.S. ___ (2016), the issue of whether a plaintiff has suffered a cognizable injury sufficient to confer standing has been one of the primary avenues of attacking data breach lawsuits. Before Collins, no Georgia appellate court had addressed the issue directly.

Collins arose from a massive data breach at a Georgia medical clinic. An anonymous hacker known as “Dark Overlord” stole personally identifiable information of more than 200,000 current and former patients of the clinic. On January 20, 2017, the Plaintiffs filed a putative class action alleging claims for violation of the Georgia Uniform Deceptive Trade Practices Act, breach of implied contract, unjust enrichment, and negligence. The Plaintiffs alleged damages related to costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts. The Defendant filed a motion to dismiss contending that the Plaintiffs had failed to allege a sufficient injury in fact to support Article III standing. The trial court granted the motion without analysis and the Georgia Court of Appeals affirmed.

The Georgia Court of Appeals held that:

Plaintiffs claim damages, specifying only the cost of identity theft protection, credit monitoring, and credit freezes to be maintained “over the course of a lifetime.” While credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the Plaintiffs seek only to recover for an increased risk of harm…We find that, as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs, which are designed to ward off exposure to future, speculative harm, are insufficient to state a cognizable claim under Georgia law.

Collins may not be a panacea to defeat all future data breach suits in Georgia, but it does strongly evidence that Georgia courts will take a skeptical view of these claims.