Background:
Thomas McConnell filed a class action against the Georgia Department of Labor, alleging several tort claims in connection with the Department’s disclosure PII belonging to members of the proposed class. Specifically, McConnell alleges that a Department employee sent an e-mail to approximately 1,000 applicants for unemployment benefits including a spreadsheet that listed the name, social security number, home phone number, e-mail address, and age of over 4,000 Georgians who had registered for Department services.
Proceedings Below:
McConnell's tort claims include negligent disclosure of PII, breach of fiduciary duty, and invasion of privacy. The complaint seeks to recover out-of-pocket costs related to credit monitoring and identity protection services and damages resulting from the adverse impact to his credit score from the closing of accounts.
The Superior Court of Cobb County granted the Department’s motion to dismiss McConnell’s complaint for failure to state a claim. McConnell appealed, and, in McConnell v. Dept. of Labor, 337 Ga. App. 457, 787 S.E.2d 794 (2016), the Court of Appeals. The Supreme Court granted cert and held that the Court of Appeals erred in addressing the merits before deciding the threshold issue of sovereign immunity. McConnell v. Dept. of Labor, 302 Ga. 18, 19, 805 S.E.2d 79 (2017). On remand, the trial court held that sovereign immunity barred the claims. The Court of Appeals disagreed, but held in any event that McConnell’s had indeed failed to state a claim. See McConnell v. Dept. of Labor, 345 Ga. App. 669 (2018).
As a threshold matter it appears the Court will affirm the Court of Appeals statement that the claims were barred by sovereign immunity. The Georgia Tort claims act says plaintiffs can only recover for a "loss" as defined at 50-21-22(3), notably including "lost wages and economic loss." The "catchall" provision of the Tort Claims Act applies to "any other element of actual damages recoverable in actions for negligence."
The justices appeared to roundly reject the State's argument that the "catchall" provision did not include the type of economic harms McConnell alleged in claims for things like negligence and breach of fiduciary duty. Making a point echoed in questions from Justices Blackwell, Boggs, and Bethel, Justice Nahmias framed the problem: "I don't understand it that we look at the merits to decide if there is an actual negligence claim, then we look back and say 'ok well there is no actual negligence claim on the merits, so now there's sovereign immunity'; my understanding is if you allege negligence, that waives sovereign immunity, and then you go look to the merits of the problem."
The merits argument, on the other hand, did not bode as well for Georgia data breach plaintiffs.
While the government was careful to distinguish McConnell's claims from recent data breach cases in Federal Courts for the Northern District of Georgia, see In Re Arby's Restaurant Group Inc. Litig., No. 1:17-cv-1035-AT, 2018 WL 2128441 at *3-5 (N.D.Ga. March 5, 2018) and In Re The Home Depot Inc., Customer Data Security Breach Litigation, No. 1:14-md-2583-TWT 2016 WL 2897520 *3-4 (N.D.Ga. May 18, 2016), which dealt with a duty to safeguard personal information against criminal hacking, the Court was more concerned with the underlying question of "are those cases [even] correct?" (government initially answered yes)
In particular, the Court clearly rejected the Plaintiffs' submission, based on the the opinion of a divided Court in Bradley Center, Inc. v. Wessner, 250 Ga. 199, 201 (1982) (dealing with a doctor's duty to protect third parties against mental health patients who are or could be dangerous) that Georgia law imposes a general duty “to all the world not to subject them to an unreasonable risk of harm.” While Bradley Center has been cited in Arby's and Home Depot by federal courts to find a duty to safeguard PII, the relevant portion of the opinion in Bradley Center was joined by only two members of the (then 7 member) Court, and did not cite to any prior Georgia law. See id. Justice Nahmias, in particular, openly stated that he did not believe Bradley Center represents an authoritative statement of the scope of duty in Georgia.
The Justices seemed similarly skeptical of the idea that, because there are Georgia statutes touching on the privacy interests individuals have in PII (e.g. the Georgia Personal Identity Protection Act of 2007 (O.C.G.A. 10-1-910 et seq.), the law therefore imposes a duty to safeguard it via the force of those statutes or some overarching common law principle.
Interestingly, Chief Justice Melton did ask Senior Assistant Attorney General Loretta Pinkston-Pope "is the net effect that the State that collects sensitive personal identifying information has no duty to maintain the security of that information?" But if the Chief Justice was sufficiently troubled by the possibility to disagree with other members of the Court as to the overarching "duty" question, he did not signal it at any point during the argument.
The upshot
The outcome in McConnell seems fairly clear: the Court will probably affirm the Court of Appeals decision that (1) while the Tort Claims Act does not bar McConnell's claims (2) dismissal on the merits was proper.
Less clear is exactly what, and how much, the Court will say about the broader duty to safeguard personally identifiable information in data breach cases. The Court might frame the issue narrowly, and simply say that the Department of Labor did not owe the plaintiff class any duty because no statutory or common law principle covers the type of accidental disclosure alleged in the case. After all, McConnell is not a typical "data breach" case in the sense that, unlike in Arby's and Home Depot, the data was compromised by accidental disclosure rather than criminal hacking. See also Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13 (2018).
Even so, the Court might choose to go further; as Justice Nahmias pointed out during argument, there is little to distinguish accidental disclosure situations from criminal hacking if there is not an underlying duty to safeguard another's PII. If the opinion tracks the tenor of the argument the Court may go so far as to say that, barring some special relationship or contractual agreement, no duty to safeguard exists under Georgia law.
No comments:
Post a Comment