X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Peterson, Justice. When a criminal steals consumers’ sensitive personal data, what do those consumers have to plead against the allegedly negligent business from whom the data was stolen to show a legally cognizable injury under Georgia tort law? The Court of Appeals has held in cases involving the exposure of personal information that the failure to show that the information had actually fallen into criminal hands, let alone that the information was used to the consumers’ detriment, meant that plaintiffs had failed to show a legally cognizable injury. But this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases. The plaintiffs here, current or former patients of the defendant medical clinic, brought a putative class action after the clinic informed them that a hacker had stolen their personal data from the clinic. We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable. Because the Court of Appeals held otherwise in affirming dismissal of the plaintiffs’ negligence claims, we reverse that holding. Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case. 1. Background The complaint, verified by each of the named plaintiffs, alleges that in June 2016 an anonymous hacker stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients of Athens Orthopedic Clinic (“the Clinic”) from the Clinic’s computer databases. Those current and former patients included named plaintiffs Christine Collins, Paulette Moreland, and Kathryn Strickland. According to the allegations contained in the complaint, the hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified the plaintiffs of the breach in August 2016. The plaintiffs allege that because their personal data has been “compromised and made available to others on the dark web, criminals are now able to assume Class Members’ identit[ies] and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts, all in Class Members’ names.” Each named plaintiff alleges that she has “spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.” Collins also alleges that fraudulent charges to her credit card were made “[s]hortly” after the data breach and that she spent time getting the charges reversed by the card issuer. And the complaint alleges that “[e]ven Class Members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.” In their suit against the Clinic, the plaintiffs sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment. They sought damages based on costs related to credit monitoring and identity theft protection, as well as attorneys’ fees. They also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act, OCGA § 10-1-370 et seq. (“UDTPA”), and a declaratory judgment to the effect that the Clinic must take certain actions to ensure the security of class members’ personal data in the future. The Clinic filed a motion to dismiss based on both OCGA § 9-11-12 (b) (1) and OCGA § 9-11-12 (b) (6), which the trial court granted summarily. A divided panel of the Court of Appeals affirmed. See Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13 (815 SE2d 639) (2018). The Court of Appeals concluded that the plaintiffs’ negligence claim was properly dismissed because the plaintiffs “seek only to recover for an increased risk of harm.” Id. at 18 (2) (a). The majority concluded that although the credit monitoring and other precautionary measures alleged by the plaintiffs were “undoubtedly prudent,” they were “designed to ward off exposure to future, speculative harm” and thus “insufficient to state a cognizable claim under Georgia law.” Id.[1] Then-Presiding Judge McFadden dissented from that holding, concluding that the plaintiffs had standing to bring their claims given that their allegations of future injury show a substantial risk that harm will occur. Id. at 22-25 (1)-(2) (McFadden, P.J., concurring in part and dissenting in part). We granted the plaintiffs’ petition for certiorari to consider whether the Court of Appeals erred in holding that the plaintiffs failed to allege a legally cognizable injury. We conclude that the plaintiffs did allege a cognizable injury. 2. The Georgia case law relied on by the Court of Appeals is inapplicable for two reasons. “It is well established that to recover for injuries caused by another’s negligence, a plaintiff must show four elements: a duty, a breach of that duty, causation[,] and damages.” Goldstein, Garber & Salama, LLC v. J.B., 300 Ga. 840, 841 (1) (797 SE2d 87) (2017) (citation and punctuation omitted). In other words, “before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.” Whitehead v. Cuffie, 185 Ga. App. 351, 353 (2) (364 SE2d 87) (1987); see also OCGA § 51-1-6 (“When the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage thereby.” (emphasis added)); OCGA § 51-1-8 (“ The violation of a private duty, accompanied by damage, shall give a right of action.” (emphasis added)); OCGA § 51-12-4 (“Damages are given as compensation for injury; generally, such compensation is the measure of damages where an injury is of a character capable of being estimated in money.”). [A] wrongdoer is not responsible for a consequence which is merely possible, according to occasional experience, but only for a consequence which is probable, according to ordinary and usual experience. . . . A fear of future damages is too speculative to form the basis for recovery. Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 572 (4) (687 SE2d 842) (2009) (citation and punctuation omitted), disapproved of on other grounds by Cumberland Contractors, Inc. v. State Bank & Trust Co, 327 Ga. App. 121, 125 (2) n.4 (755 SE2d 511) (2014); see also OCGA § 51-12-8 (“If the damage incurred by the plaintiff is only the imaginary or possible result of a tortious act or if other and contingent circumstances preponderate in causing the injury, such damage is too remote to be the basis of recovery against the wrongdoer.”). Concluding that the plaintiffs had not sufficiently pleaded injury here, the Court of Appeals relied on two of its opinions addressing the exposure of sensitive personal information, Finnerty and Rite Aid of Georgia v. Peacock, 315 Ga. App. 573 (726 SE2d 577) (2012). In Finnerty, the matter came before the Court of Appeals on the grant of summary judgment against a civil case defendant who complained that the plaintiff bank had included his social security number in an exhibit to the civil complaint. 301 Ga. App. at 569. As one of several alternative bases for affirming the summary judgment order, the Court of Appeals concluded that the defendant’s state law counterclaims alleging that the bank’s action caused him injuries were “wholly speculative.” Id. at 572 (4). The court noted that the defendant had “failed to demonstrate that the Bank’s purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information as a result of the purported unlawful disclosure.” Id. And in Rite Aid, the Court of Appeals reversed a grant of class certification in a case arising from the defendant pharmacy’s sale of its customers’ medication information to another pharmacy, concluding the trial court erred in finding that the named plaintiff and the proposed class of customers shared common questions of law and fact and that the named plaintiff was a sufficiently typical class representative. In particular, the Court of Appeals noted that the named plaintiff could only speculate that a criminal might associate with an employee of the new pharmacy who had access to his prescription information. 315 Ga. App. at 576-577 (1) (a) (i). The Court of Appeals in this case also relied on its prior opinion in Boyd v. Orkin Exterminating Co., 191 Ga. App. 38 (381 SE2d 295) (1989), overruled on other grounds by Hanna v. McWilliams, 213 Ga. App. 648, 651 (2) (b) (446 SE2d 741) (1994), in which the Court of Appeals affirmed a grant of partial summary judgment to the defendant pest control company on the plaintiffs’ suit alleging that the negligent application of pesticide in their home subjected their children to an increased risk of cancer. In particular, the Boyd court rejected the notion that the plaintiffs could recover for an alleged increased risk of cancer as a result of the pest treatments, because, although the plaintiffs produced testimony that their children would require monitoring in the future to determine whether they developed health problems due to their exposure, they had fallen “far short” of establishing to a “reasonable medical certainty” that such consequences would occur. 191 Ga. App. at 40-41 (2) (citation and punctuation omitted). Although the plaintiffs in Boyd pointed to the presence of elevated levels of a certain metabolite in the children’s bloodstream, the record in that case provided no “indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind[.]” Id. at 40 (1). The Court of Appeals here relied on Finnerty and Rite Aid to conclude that “the fact of compromised data is not a compensable injury by itself in the absence of some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of a legal duty[,]” and therefore the plaintiffs here do not allege a legally cognizable injury. Collins, 347 Ga. App. at 15-16 (2) (citation and punctuation omitted). And the court said that Boyd was a “fitting analogue” to this case, given that in both this case and Boyd, “the defendant’s alleged negligence exposed the Plaintiffs to a risk of harm which may or may not occur.” Id. at 16 (2).[2] But there are two fundamental differences between those cases and this one. (a) The key Georgia decisions relied on by the Court of Appeals were not issued in the context of a motion to dismiss. First, neither Finnerty, nor Rite Aid, nor Boyd was decided in the context of a motion to dismiss. Finnerty and Boyd were summary judgment cases, and Rite Aid involved a question of class certification. To avoid dismissal on summary judgment, a plaintiff must present evidence that raises a genuine issue of material fact. See Nguyen v. Southwestern Emergency Physicians, P.C., 298 Ga. 75, 82 (3) (775 SE2d 334) (2015). And to prevail on a request for class certification, a plaintiff must show with evidence that the requirements for certification are satisfied. See Georgia-Pacific Consumer Products v. Ratner, 295 Ga. 524, 526 (1) (762 SE2d 419) (2014). Therefore, it was not enough for the claimants in Finnerty and Rite Aid merely to allege that identity theft was a possible, or even likely, result of the opposing party’s actions. And it was not enough for the plaintiffs in Boyd merely to allege that it was possible, or even likely, that their children would develop cancer as a result of the pesticide application. Given the stages in which those cases presented themselves to the Court of Appeals, evidence beyond mere allegations was required in order for the claimants to prevail. Not so here. This case comes before us as an appeal from the grant of a motion to dismiss for failure to state a claim under OCGA § 9-11-12 (b) (6). Such a motion is properly granted when the plaintiff “would not be entitled to relief under any state of provable facts asserted in support” of the allegations in the complaint and “could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought.” Austin v. Clark, 294 Ga. 773, 774-775 (755 SE2d 796) (2014) (citation omitted). In deciding such a motion, any doubts regarding the complaint must be construed in favor of the plaintiff. Id. at 775.[3] Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this case comes before us on a motion to dismiss, we must accept this factual allegation as true. (b) The Court of Appeals’s prior cases involved a sort of exposure of data fundamentally different than the actual data theft in this case. In addition to the differences in procedural posture, the facts of Finnerty and Rite Aid put them in a category different from that of this case. In neither Finnerty nor Rite Aid was there any reason to believe that the data in question had in fact fallen into a criminal’s hands; here, plaintiffs allege that their data was stolen by a criminal whose alleged purpose was to sell the data to other criminals. To conclude that the claimants in Finnerty and Rite Aid would likely suffer identity theft as a result of the opposing parties’ actions would have required a long series of speculative inferences, including that someone with malicious intent would obtain the data in the first place, that this person would attempt to use the data to steal the claimant’s identity or make the data available to someone who would attempt to do so, and that the would-be identity thief would succeed in fraudulent usage of the claimant’s identity. See also McLoughlin v. People’s United Bank, Inc., 2009 WL 2843269, at *7- *8 (Case No. 3:08-cv-00944 (VLB), D. Conn., decided Aug. 31, 2009) (where box containing backup tapes of electronic banking data was lost or stolen from truck with broken lock — with no indication that box was stolen for the data it contained — no injury under Connecticut tort law, as tapes “could have been inadvertently discarded or destroyed,” or “collecting dust in some forgotten warehouse,” and it “is only through speculation that one concludes that they are in possession of an individual who is driven to maliciously mine the tapes for the personal data that they contain”). Those cases are far different from this one. Here, the plaintiffs alleged that (1) a thief stole a large amount of personal data by hacking into a business’s computer databases and demanded a ransom for the data’s return, (2) the thief offered at least some of the data for sale, and (3) all class members now face the “imminent and substantial risk” of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers. Moreover, an important part of the value of that data to anyone who would buy it in that fashion is its utility in committing identity theft. See Remijas v. Neiman Marcus Group, LLC, 794 F3d 688, 693 (7th Cir. 2015) (“[I]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the . . . data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”).[4] Thus, we are much further along in the chain of inferences that one must draw in order to conclude that the plaintiffs here likely will suffer identity theft.[5] As explained above, showing injury as a result of the exposure of data is easier in a case like this, where the data exposure occurs as a result of an act by a criminal whose likely motivation is to sell the data to others. But that easier showing of injury may well be offset by a more difficult showing of breach of duty.[6] Cf. Ga. Dept. of Labor v. McConnell, 305 Ga. 812, 815-816 (3) (a) (828 SE2d 352) (2019) (plaintiff failed to show that state agency owed him duty — under either OCGA § 10-1-393.8, OCGA § 10-1-910, or purported common law duty “to all the world not to subject others to an unreasonable risk of harm” — to protect their personal information from inadvertent, negligent disclosure (citation and punctuation omitted)). This case is at the motion to dismiss stage, and the Court of Appeals’s decision did not turn on this issue, so we leave it for another day.[7] 3. The plaintiffs’ negligence claim should not have been dismissed for failure to allege a cognizable injury. Construing the plaintiffs’ allegations — particularly that criminals are able to assume their identities fraudulently as a result of the data breach and that the risk of such identity theft is “imminent and substantial” — in the light most favorable to the plaintiffs, we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the complaint. The plaintiffs allege that their personal data has been stolen on a mass scale by a criminal, who in turn has offered it for sale to other criminals. They also allege that, as a result, criminals are able to assume their identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. These allegations raise more than a mere specter of harm. See Attias v. Carefirst, Inc., 865 F3d 620, 629 (D.C. Cir. 2017) (“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”). These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims. Our conclusion that dismissal of the negligence claims for lack of injury is not warranted at this stage does not depend on the plaintiffs’ allegations that the breach has caused them to spend money attempting to mitigate the consequences of the breach by avoiding actual identity theft. Although this may represent all or some measure of the plaintiffs’ damages to date, their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation.[8] 4. Our conclusion is consistent with recent federal decisions applying Georgia law. Recent persuasive federal district court decisions applying Georgia law in similar cases are consistent with our conclusion that the plaintiffs have pleaded a legally cognizable injury here. In litigation arising from hackers’ theft of the credit cardholder information of Arby’s customers, a district court rejected the defendant’s argument that the consumer plaintiffs’ negligence claims should be dismissed because they had not suffered “any out- of-pocket loss.” See In re Arby’s Restaurant Group Inc. Litigation, 2018 WL 2128441, at *11 (Civil Action No. 1:17-cv-0514-AT, N.D. Ga., decided March 5, 2018). Although the plaintiffs had alleged unauthorized charges on their credit card accounts — i.e., actual identity theft — the court also pointed to alleged costs associated with detection and prevention of identity theft in concluding that the allegations of injury were sufficient. Id. (“While Arby’s is correct that a plaintiff may not recover for injuries that are purely speculative, such as the potential risk of future identity theft, Plaintiffs’ Complaint alleges costs associated with actual data theft.” (emphasis added)).[9] In another federal case over theft of consumers’ personal data by hackers, a district court also rejected the defendants’ argument that the plaintiffs’ Georgia tort claims failed because they had not pleaded a legally cognizable injury. See In re Equifax, Inc., Customer Security Breach Litigation, 362 FSupp3d 1295, 1314-1317 (N.D. Ga. 2019). Again, although the plaintiffs’ allegations in that case included allegations that some members of the class had suffered actual identity theft, the district court also pointed to the allegations about a risk of identity theft, as well as measures to mitigate that risk, in concluding that the allegation of injury was sufficient: Plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the Data Breach. These allegations of actual injury are sufficient to support a claim for relief. Id. at *1315.[10] Although ultimately this Court is the final arbiter of the meaning of Georgia law, the district courts’ conclusions in these cases are somewhat more persuasive because, although those cases also came before district courts on motions to dismiss, they were subject to the more stringent pleading standards governing federal cases. Compare Ashcroft v. Iqbal, 556 U. S. 662, 679 (129 SCt 1937, 173 LE2d 868) (2009) (under federal law, legal conclusions recited in complaint “must be supported by factual allegations” that “plausibly give rise to an entitlement to relief’), with Dillingham v. Doctors Clinic, P.A., 236 Ga. 302, 303 (223 SE2d 625) (1976) (under Georgia law, complaint need only “give the defendant fair notice of what the claim is and a general indication of the type of litigation involved; the discovery process bears the burden of filling in details”). Because the Court of Appeals erred in concluding that the trial court properly dismissed the plaintiffs’ negligence claims due to failure to plead a legally cognizable injury, we reverse that holding. Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case. Judgment reversed in part, vacated in part, and case remanded. All the Justices concur.

 
Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.

More From ALM

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now
Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now
Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now
May 01, 2025
Atlanta, GA

The Daily Report is honoring those attorneys and judges who have made a remarkable difference in the legal profession.


Learn More
November 18, 2024 - November 19, 2024
New York, NY

Join General Counsel and Senior Legal Leaders at the Premier Forum Designed For and by General Counsel from Fortune 1000 Companies


Learn More
November 27, 2024
London

Celebrating achievement, excellence, and innovation in the legal profession in the UK.


Learn More

ROBSON & ROBSON P.C. is a boutique firm located in King of Prussia, Pennsylvania that focuses on complex commercial litigation and trans...


Apply Now ›

Responsibilities but not limited to: Prepare cases for and manage litigation at all levels and at various stages, including but not limited...


Apply Now ›

Description: Fox Rothschild has an opening in the San Francisco or Los Angeles office for a Counsel in our Labor & Employment Department...


Apply Now ›