Georgia Data Breach Class Action

Written by: Sean Cox, Esq.

On December 23, 2019, in a case of first impression, a unanimous Georgia Supreme Court reversed the trial court and Court of Appeals in a putative data breach class action, holding that there were sufficient allegations of a legally cognizable injury to survive a motion to dismiss. The case arose out of the 2016 hack of Athens Orthopedic Clinic (“AOC”) in which the names, addresses, social security numbers, insurance information, and other personal information of more than 200,000 current and former patients were taken by a hacker calling himself the Dark Overlord.

In the trial court and in the Court of Appeals, Defendant AOC had argued that the potential class members had not alleged a sufficient, legally cognizable injury. Since the 2016 United States Supreme Court decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the existence of a legally cognizable injury in data breach cases has created a discrete split in state courts and federal circuits. Some states and federal circuits have held that allegations of a breach and prophylactic expenses to monitor and prevent identity theft cannot support a legally cognizable injury. However, some states and federal circuits have held that it can.

In their Complaint, the Plaintiff alleged damages including past and future costs of credit monitoring and identity theft protection, credit freezes, and a request for injunctive relief. The Georgia Supreme Court held:

The plaintiffs allege that their personal data has been stolen on a mass scale by a criminal, who in turn has offered it for sale to other criminals. They also allege that, as a result, criminals are able to assume their identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. These allegations raise more than a mere specter of harm… [T]heir allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation.

This ruling places Georgia squarely within the camp finding that prophylactic costs and the threat of identity theft are enough to survive a motion to dismiss. Even after this decision, several open questions remain about how Georgia law will deal with data breach suits and what is necessary to prove a cognizable injury, but the decision does remove one of the arguments that has been used most successfully to defeat data breach suits early.