Data Breach Class Actions – Georgia Supreme Court Rejects Duty to Safeguard Personal Information

Takeaway:  Plaintiffs in data breach class actions usually assert common law tort claims, such as claims for negligence, gross negligence, and negligence per se.  Negligence claims, however, require the breach of a recognized duty, and whether such a legal duty exists turns on the statutes and decisional law peculiar to a particular state.  In Georgia Dep’t of Labor v. McConnell, Nos. S18G1316 & S18G1317, 2019 WL 2167323, at *3 (Ga. May 20, 2019), the Georgia Supreme Court affirmed the Georgia Court of Appeals’ conclusion that Georgia law does not recognize a duty to safeguard personal information.  The McConnell decision should be a powerful tool for data breach defendants whenever the tort claims are governed by Georgia law. 

In McConnell, Thomas McConnell filed a putative class action against the Georgia Department of Labor, asserting a negligence claim (among other claims) arising from the Department’s accidental disclosure of the personal information of McConnell and the putative class members.  According to McConnell, an employee of the Georgia Department of Labor, while acting within the scope of his official employment, sent an email to approximately 1,000 Georgians who had applied to the Department for services such as unemployment benefits. Attached to the email was a spreadsheet identifying the name, social security number, home phone number, email address, and age of over 4,000 Georgians (including McConnell) who had registered for Department services.  Based on this conduct, McConnell alleged a claim for the negligent disclosure of personal information, seeking, as damages, out-of-pocket costs (for credit monitoring and identity protection services), damages arising from the adverse impact to credit scores, and damages for the “fear, upset, anxiety and injury to peace and happiness related to the disclosure of [his] personal identifying information, …” 2018 WL 2173252, at *1.

The trial court dismissed the negligence claim, ruling “there is no legal duty [under Georgia law] to safeguard personal information.” Id. at *5.  McConnell appealed this decision to the Georgia Court of Appeals.  In 2016, the appellate court affirmed the trial court on the merits, explaining that Georgia’s Legislature only imposed “notice” obligations after a data breach has occurred and had not imposed “any standard of conduct in implementing and maintaining data security practices.”  McConnell v. Ga. Dep’t of Labor, 337 Ga. App. 457, 787 S.E.2d 794, 799 (2016).  But the Georgia Supreme Court vacated that decision, ruling that the Court of Appeals first should have addressed the threshold issue of sovereign immunity before turning to the merits.  McConnell v. Ga. Dep’t of Labor, 302 Ga. 18, 805 S.E.2d 79 (Ga. 2017).

On remand, the Court of Appeals again ruled that McConnell’s negligence claim was properly dismissed.  McConnell v. Georgia Department of Labor, 345 Ga. App. 669, 814 S.E.2d 790 (2018).  After ruling sovereign immunity did not bar the claims, the court rejected McConnell’s arguments that the Georgia Personal Identity Protection Act (OCGA §§ 10–1–910 through 10–1–915 (the “GPIPA”)) gave rise to a common law duty.  The court found “because the GPIPA does not impose any standard of conduct in implementing and maintaining data security practices, we conclude that it cannot serve as the source of a general duty to safeguard personal information.”  2018 WL 2173252, at *6.

In Georgia Dep’t of Labor, 2019 WL 2167323, at *3, the Georgia Supreme Court affirmed the Georgia Court of Appeal’s 2018 decision, agreeing soverign immunity did not apply but concluding that McConnell failed to show “that the Department owed him or the other proposed class members a duty to protect their information against negligent disclosure.”

The Georgia Supreme Court first rejected McConnell’s reliance on the purported common-law duty “‘to all the world not to subject [others] to an unreasonable risk of harm’” established in a prior decision by the Supreme Court, Bradley Center, Inc. v. Wessner, 250 Ga. 199, 201, 296 S.E.2d 693, 695 (1982).  The court was not persuaded by McConnell’s broad interpretation of Bradley Center, finding that it “was not a correct statement of the law, did not control the result in that case (which was based on a “special relationship” between the plaintiff and the defendant), and has never been endorsed in a decision of this Court that qualifies as precedent.”  2019 WL 2167323, at *3.  The Supreme Court further “overruled” cases relying on Bradley Center and “disapproved” cases reciting the “unreasonable risk of harm” language.  Id.

The court next held that the GPIPA also did not create “a legal duty on the part of the Department to safeguard [McConnell] and the other proposed class members' personal information.”  Id.  The court reasoned that, although the GPIPA contains findings about the risk of identity theft, it “does not explicitly establish any duty, nor does it prohibit or require any conduct at all.”  Id.  The Georgia Supreme Court therefore affirmed the Court of Appeals’ dismissal of McConnell’s negligence claim for failure to state a claim.

In a footnote, the Georgia Supreme Court stated that a duty to safeguard personal information might still arise in the right case.  2019 WL 2167323, at *3 n.5.  But the court’s ruling should result in the dismissal of negligence claims governed by Georgia law in all but the most extreme data breach cases.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their