The Court issued two notable opinions today: the first dealing with data breach litigation, the second with whether federal regulations may preclude an action under a federal statute.
Collins deals with the ability of plaintiffs to bring claims against allegedly negligent companies following a data breach in which the plaintiffs' information was compromised. Specifically, whether plaintiffs who have not yet suffered identity theft have nonetheless sufficiently alleged "harm" to survive a motion to dismiss.
Background
In Collins, a group of clinic patients brought a class action suit alleging negligence and related claims arising out of the data breach of the clinic's computer systems by a hacker known as the "Dark Overlord." The plaintiffs alleged "[a]s a direct and proximate result of [AOC's] negligence, Plaintiffs and other class members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts." See Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13, 15 (2018). The trial court granted Athens Orthopedic Clinic (AOC)'s motion to dismiss without identifying the specific basis for the dismissal.
The Decision Below
The Court of Appeals affirmed the dismissal, explaining that "[w]hile we have never addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage," in prior cases the Court had said that harm relating to wrongful disclosure of sensitive information was "too speculative to form the basis of recovery." See id. (citations omitted). Further, in toxic tort cases the Court had held that an "increased risk of cancer" and the need for "monitoring [for the development of adverse health consequences] in the future," were insufficient to state a cognizable claim under Georgia law. Thus "as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs" are not "compensable injury" sufficient to support a negligence claim.
Judge McFadden dissented in part, arguing the majority opinion should not have pretermitted standing and simply dismissed for failure to state a claim. Judge McFadden would have reversed the trial court's undifferentiated dismissal on a finding that the plaintiff's did have standing, and remanded the case for further proceedings.
The Court's Decision
Writing for the Court, Justice Peterson held that the Plaintiffs had indeed alleged cognizable injury. The caselaw the Court of Appeals relied on in their decision below, Justice Peterson wrote, was inapplicable for two reasons. First, those decisions were not issued in the context of a motion to dismiss. As a result, the failure of Plaintiffs in those cases to produce evidence of harm did not necessarily mean that the Plaintiff's in this case could not adequately allege harm along the same lines. Second, none of the Court of Appeals' previous data breach cases had dealt with deliberate criminal theft for the purpose of selling the data to other criminals. As a result, whereas in those cases "[t]o conclude that the claimants [in those cases] would likely suffer identity theft as a result of the opposing parties' actions would have required a long series of speculative inferences," here, no such inferential chain was necessary. As the United States Court of Appeals for the 7th Circuit put it "[w]hy else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas v. Neiman Marcus Group, 794 F.3d 688, 693 (7th Cir. 2015).
Thus, the Court held, data breach plaintiffs may be able to allege cognizable harm. "Construing the plaintiffs’ allegations — particularly that criminals are able to assume their identities fraudulently as a result of the data breach and that the risk of such identity theft is 'imminent and substantial' — in the light most favorable to the plaintiffs, we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the complaint."
Importantly, Justice Peterson explained that the Court's decision did not depend on the allegation that they had spent money on measures like identity theft protection: "[a]lthough this may represent all or some measure of the plaintiffs’ damages to date, their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation."
Background
In Collins, a group of clinic patients brought a class action suit alleging negligence and related claims arising out of the data breach of the clinic's computer systems by a hacker known as the "Dark Overlord." The plaintiffs alleged "[a]s a direct and proximate result of [AOC's] negligence, Plaintiffs and other class members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts." See Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13, 15 (2018). The trial court granted Athens Orthopedic Clinic (AOC)'s motion to dismiss without identifying the specific basis for the dismissal.
The Decision Below
The Court of Appeals affirmed the dismissal, explaining that "[w]hile we have never addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage," in prior cases the Court had said that harm relating to wrongful disclosure of sensitive information was "too speculative to form the basis of recovery." See id. (citations omitted). Further, in toxic tort cases the Court had held that an "increased risk of cancer" and the need for "monitoring [for the development of adverse health consequences] in the future," were insufficient to state a cognizable claim under Georgia law. Thus "as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs" are not "compensable injury" sufficient to support a negligence claim.
Judge McFadden dissented in part, arguing the majority opinion should not have pretermitted standing and simply dismissed for failure to state a claim. Judge McFadden would have reversed the trial court's undifferentiated dismissal on a finding that the plaintiff's did have standing, and remanded the case for further proceedings.
The Court's Decision
Writing for the Court, Justice Peterson held that the Plaintiffs had indeed alleged cognizable injury. The caselaw the Court of Appeals relied on in their decision below, Justice Peterson wrote, was inapplicable for two reasons. First, those decisions were not issued in the context of a motion to dismiss. As a result, the failure of Plaintiffs in those cases to produce evidence of harm did not necessarily mean that the Plaintiff's in this case could not adequately allege harm along the same lines. Second, none of the Court of Appeals' previous data breach cases had dealt with deliberate criminal theft for the purpose of selling the data to other criminals. As a result, whereas in those cases "[t]o conclude that the claimants [in those cases] would likely suffer identity theft as a result of the opposing parties' actions would have required a long series of speculative inferences," here, no such inferential chain was necessary. As the United States Court of Appeals for the 7th Circuit put it "[w]hy else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas v. Neiman Marcus Group, 794 F.3d 688, 693 (7th Cir. 2015).
Thus, the Court held, data breach plaintiffs may be able to allege cognizable harm. "Construing the plaintiffs’ allegations — particularly that criminals are able to assume their identities fraudulently as a result of the data breach and that the risk of such identity theft is 'imminent and substantial' — in the light most favorable to the plaintiffs, we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the complaint."
Importantly, Justice Peterson explained that the Court's decision did not depend on the allegation that they had spent money on measures like identity theft protection: "[a]lthough this may represent all or some measure of the plaintiffs’ damages to date, their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation."
Norfolk Southern Railway Company v. Hartry et al
Norfolk Southern poses the question of whether claims under the Federal Employers Liability Act ("FELA") are precluded by regulations issued pursuant to the Federal Railroad Safety Act ("FRSA") - the Court held today they are not.
Background
In June 2010 the gates at a public railway crossing were down for an extended period of time, such that cars approaching the crossing began to simply drive around them in the belief no trains were approaching. One such driver pulled around the gates, causing an accident which injured Harty, the train's driver (and Plaintiff in the case).
Proceedings Below
As relevant here, Hartry sued Norfolk Southern under FELA alleging it had failed to maintain the crossing gates, resulting in an unsafe work environment. The trial court granted summary judgement to Norfolk Southern on the ground that the FRSA precluded FELA claims. The Court of Appeals reversed, and the Supreme Court granted certiorari.
The Court's Decision
Writing for the Court, Justice Bethel wrote that FELA claims are not precluded by FERSA.
FELA provides railroad employees with a federal cause of action for injuries resulting for the negligence of a railroad. FRSA, by contrast, was enacted to promote railroad safety generally (i.e. not limited to employees) by granting the Secretary of Transportation power to make rules and regulations. Importantly, the FRSA has no private right of action, so the only persons with power to enforce its provisions are the Secretary of Transportation, the States, and the Attorney General.
In rejecting Norfolk Southern's preclusion argument, Justice Bethel noted that while the FRSA has an express preemption to prevent state law from interfering with national uniformity, it contains no provision to displace other federal laws operating in the same area. Further, while there is language in the statute speaking to the need for national uniformity in Railroad safety laws,this provision is found in the law's preemption provision. Without any textual indication of preclusion, it is conceivable that Congress could provide for overlapping causes of action. This is particularly true in light of the fact that FELA and the FLSA have coexisted for decades with no action to change their relationship.
The full opinion is available here.
Background
In June 2010 the gates at a public railway crossing were down for an extended period of time, such that cars approaching the crossing began to simply drive around them in the belief no trains were approaching. One such driver pulled around the gates, causing an accident which injured Harty, the train's driver (and Plaintiff in the case).
Proceedings Below
As relevant here, Hartry sued Norfolk Southern under FELA alleging it had failed to maintain the crossing gates, resulting in an unsafe work environment. The trial court granted summary judgement to Norfolk Southern on the ground that the FRSA precluded FELA claims. The Court of Appeals reversed, and the Supreme Court granted certiorari.
The Court's Decision
Writing for the Court, Justice Bethel wrote that FELA claims are not precluded by FERSA.
FELA provides railroad employees with a federal cause of action for injuries resulting for the negligence of a railroad. FRSA, by contrast, was enacted to promote railroad safety generally (i.e. not limited to employees) by granting the Secretary of Transportation power to make rules and regulations. Importantly, the FRSA has no private right of action, so the only persons with power to enforce its provisions are the Secretary of Transportation, the States, and the Attorney General.
In rejecting Norfolk Southern's preclusion argument, Justice Bethel noted that while the FRSA has an express preemption to prevent state law from interfering with national uniformity, it contains no provision to displace other federal laws operating in the same area. Further, while there is language in the statute speaking to the need for national uniformity in Railroad safety laws,this provision is found in the law's preemption provision. Without any textual indication of preclusion, it is conceivable that Congress could provide for overlapping causes of action. This is particularly true in light of the fact that FELA and the FLSA have coexisted for decades with no action to change their relationship.
The full opinion is available here.
Life Sentences and Murder Convictions
S19G0472. WILKERSON v. THE STATE
S19A0992, S19A1006. NICHOLSON v. THE STATE (two cases)S19A0995. THE STATE v. RUMPH
S19A1017. BULLARD v. THE STATE
S19A1087. BALLIN v. THE STATE
S19A1215. MCGUIRE v. THE STATE
S19A1248. JONES v. THE STATE
S19A1280. CASH v. THE STATE
S19A1334. SPENCE v. THE STATE
S19A1342. REED v. THE STATE
S19A1344. CLARK v. THE STATE
S19A1396. DENSON v. THE STATE
S19A1504. RAMIREZ v. THE STATE
S19A1582. GEBHARDT v. THE STATE
S20A0100. DOZIER v. THE STATE
Attorney Discipline Cases
S19Z1567 IN THE MATTER OF SANDRA M. FULLER
S20Y0289 IN THE MATTER OF SARAH MALLAS WAYMAN
Betway Casino NZ - Mapyro
ReplyDeleteFind 동해 출장샵 the best Betway casino in New Zealand and New Zealand and get 오산 출장안마 a 진주 출장샵 bonus. 당진 출장샵 How to use it? The Betway Casino mobile casino is available 강원도 출장안마 for use in the state.