CHRISTINE COLLINS ET AL. v. ATHENS ORTHOPEDIC CLINIC
Annotate this Case
Download PDF
FIFTH DIVISION MCFADDEN, P. J., RAY and RICKMAN, JJ. NOTICE: Motions for reconsideration must be physically received in our clerk’s office within ten days of the date of decision to be deemed timely filed. http://www.gaappeals.us/rules June 27, 2018 In the Court of Appeals of Georgia A18A0296. COLLINS, et al. v. ATHENS ORTHOPEDIC CLINIC. RAY, Judge. After an anonymous hacker known as the “Dark Overlord” stole the personally identifiable information (“PII”) of approximately 200,000 current and former Athens Orthopedic Clinic (“AOC”) patients, Christine Collins, Paulette Moreland, and Kathryn Strickland (collectively, the “Plaintiffs”) filed a putative class action. The trial court granted AOC’s motion to dismiss, and the Plaintiffs appealed, arguing that the trial court erred by implicitly finding that they failed to state a claim and lacked standing under Article III of the United States Constitution; and by relying on facts outside the four corners of the complaint. We affirm. We review the grant of a motion to dismiss de novo, construing the factual allegations of the complaint in the light most favorable to the plaintiff. Radio Perry v. Cox Communications, Inc., 323 Ga. App. 604, 605 (1) (746 SE2d 670) (2013). The complaint should be dismissed only if its allegations demonstrate with certainty that the claimants “would not be entitled to relief under any state of provable facts asserted in support thereof; and . . . the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought.” (Citation omitted.) Id. Plaintiffs allege that the hack took place and was discovered by AOC in June 2016, and that AOC notified them of the breach in August 2016. The Dark Overlord apparently gained access to the PII database by using a third-party vendor’s log-in credentials, and when AOC refused to pay a ransom for the information, the Dark Overlord offered some of it for sale on the “Dark Web,”1 and made some of it at least 1 The “Dark Web” refers broadly to the part of the World Wide Web that is only accessible by special software, allowing users to remain anonymous. See “DarkWeb” Wikipedia, https://en.wikipedia.org/wiki/Dark_web (accessed May 7, 2018). 2 temporarily available on Pastebin, a data-storage website designed to facilitate the sharing of large amounts of data online. Plaintiffs allege that the data breach exposes them to the threat of identity theft and other harm. All three Plaintiffs were notified that their information had been compromised, and spent time placing fraud or credit alerts on their credit reports. Only Collins had fraudulent charges made on her credit card and spent time getting them reversed.2 On January 20, 2017, the Plaintiffs filed a putative class action alleging violation of the Georgia Uniform Deceptive Trade Practices Act (OCGA § 10-1-370, et seq.), breach of implied contract, unjust enrichment, and negligence. Plaintiffs also seek a declaratory judgment and attorney fees. They seek reimbursement for costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts, as well as injunctive relief. 2 We note that Collins does not allege within the complaint that the fraudulent charges were related to the data breach. 3 On June 26, 2017, the trial court granted AOC’s motion to dismiss. The order states, in its entirety: Before the Court is Defendant [AOC’s] motion to dismiss pursuant to OCGA § 9-11-12, which motion having come on for a hearing June 14, 2017. Having considered the oral arguments of counsel, the briefs of Plaintiffs and the Defendant and all pleadings, but having considered no matters outside the pleadings, it is hereby ORDERED that the Motion to Dismiss is GRANTED. 1. Plaintiffs argue that the trial court erred in considering matters outside the complaint. They point, inter alia, to questions the trial court asked during the hearing on the motion to dismiss. Where matters outside the pleadings are presented, “a further determination has to be made as to whether the trial court excluded them. If the trial court excluded such matters, then the motion is for dismissal. If the trial court considered such matters, then the motion is for summary judgment.” (Citations omitted.) Thompson v. Avion Systems, Inc., 284 Ga. 15, 16-17 (663 SE2d 236) (2008). Here, the trial court’s order expressly stated that it “considered no matters outside the pleadings[.]” We find no error. 4 2. Plaintiffs argue, generally, that the trial court erred in dismissing their complaint by implicitly finding that they failed to state a claim and lacked standing under Article III. (a) Negligence claim. To state a cause of action for negligence in Georgia, the Plaintiffs must show (1) A legal duty to conform to a standard of conduct raised by the law for the protection of others against unreasonable risks of harm; (2) a breach of this standard; (3) a legally attributable causal connection between the conduct and the resulting injury; and, (4) some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of the legal duty . . . It is well-established Georgia law that before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him. (Citations and punctuation omitted) Whitehead v. Cuffie, 185 Ga. App. 351, 352-353 (2) (364 SE2d 87) (1987). The complaint alleges that “[a]s a direct and proximate result of [AOC’s] negligence, Plaintiffs and other Class Members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts over the course of a lifetime.” 5 While we never have addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute “loss or damage” pursuant to Whitehead, supra, some Georgia cases offer guidance. In Finnerty v. State Bank and Trust Co., 301 Ga. App. 569 (687 SE2d 842) (2009), disapproved on other grounds by Cumberland Contractors, Inc. v. State Bank and Trust Co., 327 Ga. App. 121, 125 (2), n. 4 (755 SE2d 511) (2014), Finnerty, a signatory on a promissory note, counterclaimed against a bank suing him for default. He alleged invasion of privacy and negligence because the bank disclosed his Social Security number in the complaint. Id. at 569. Finnerty argued that he suffered “‘an increased risk of identity theft’ and that ‘non-authorized third parties have access to the otherwise confidential personal information[.]’” Id. at 572 (4). We affirmed the trial court’s grant of summary judgment to the bank, finding that “[a] fear of future damages is too speculative to form the basis for recovery.” (Footnote omitted.) Id. This Court found that Finnerty “failed to demonstrate that the [b]ank’s purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information[.]” Id. 6 The instant case differs in that Plaintiffs alleged that the “Dark Overlord” had accessed their PII, offered to sell it on the Dark Web, and placed it, at least temporarily, on Pastebin. However, as OCGA § 51-12-8 provides, “[i]f the damage incurred by the plaintiff is only the . . . possible result of a tortious act . . . such damage is too remote to be the basis of recovery against the wrongdoer.” See generally Rite Aid of Ga. v. Peacock, 315 Ga. App. 573, 576 (1) (a) (i) (726 SE2d 577) (2012) (in appeal of case alleging, inter alia, breach of contract and unjust enrichment, this Court pretermitted whether the sale of the plaintiff’s personal medication information was illegal and reversed class certification, finding a lack of commonality in that “although [plaintiff] felt that the sale of his prescription information to Walgreens was illegal, he could not say that he had suffered any actual financial or physical injury. . . .) (emphasis in original). While Finnerty and Rite Aid are factually and procedurally distinct from the present case in that they did not involve motions to dismiss and did not feature theft of PII, they nonetheless suggest that the fact of compromised data is not a compensable injury by itself in the absence of some “loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of the legal duty[.]” (Citation and punctuation omitted.) Whitehead, supra at 352 (2). 7 Further, the instant factual scenario finds a fitting analogue in the context of other torts. In Boyd v. Orkin Exterminating Co., 191 Ga. App. 38, 40-41 (1), (2) (381 SE2d 295) (1989), overruled on other grounds by Hanna v. McWilliams, 213 Ga. App. 648, 651 (2) (b) (446 SE2d 741) (1994), the plaintiffs sued Orkin for the negligent application of insecticide in their home. The trial court found that the plaintiffs’ children’s claims were barred to the extent that they sought damages for the “increased risk of cancer” to which they had been exposed. In affirming the grant of summary judgment, we explained: [e]ven assuming arguendo that there was sufficient evidence before the jury to support a finding that Orkin had been negligent in its application of pesticides to the Boyds’ home, there was no evidence that the appellants had sustained any specific injury . . . The results of organ function tests conducted on the children were all within normal range . . . . [Further,] [w]e reject the appellants’ contention that the jury could have assessed damages against Orkin based on expert testimony that the presence of elevated levels of the heptachlor metabolite in the children’s blood itself constituted “injury.” Absent any indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind, this testimony must be considered insufficient to support an award of damages in any amount. 8 (Punctuation omitted; emphasis supplied.) Id. at 40 (1). In both Boyd and the case before us, the defendant’s alleged negligence exposed the Plaintiffs to a risk of harm which may or may not occur, be it disease in Boyd or identity theft in the instant action. What is crucial to our analysis is whether the data theft, as Boyd provides, “had caused or would eventually cause” injury.3 With regard to the increased risk of harm, we found that the trial court did not err in granting partial summary judgment to Orkin: on the issue of the appellants’ right to recover for the alleged “increased risk of cancer” to which the children had been exposed as a result of the termite treatments. In those jurisdictions which have allowed recovery for an enhanced future risk of developing a new complication, the claimant has been required to establish a “reasonable medical certainty” that such consequences will occur . . . The evidence present in this case falls far short of that standard. The appellants merely produced medical testimony that the children will require monitoring in the future to determine whether they developed health problems due to their exposure to the chemicals. 3 See generally Pisciotta v. Old Nat. Bancorp., 499 F3d 629, 634 (II) (A), 638640 (II) (B) (2), (3) (7th Cir. 2007) (finding data breach plaintiffs had Article III standing but failed to state a claim because, based on toxic tort and medical monitoring cases, Indiana law did not consider exposure to identity theft and costs of protective measures compensable injury). 9 (Emphasis supplied.) Boyd, supra at 40-41 (2). See also Crawford W. Long Memorial Hosp. v. Hardeman, 84 Ga. App. 306, 306 (2) (66 SE2d 67) (1951) (in negligence action, plaintiff’s allegations regarding future medical expenses likely to be incurred by his wife were too speculative, absent itemization and substantiating facts). Compare In Re Arbys Restaurant Group Inc. Litig., 1:17-mi-55555-AT at 27 (N.D. Ga. 2018) (finding that a complaint survived a motion to dismiss where, although “a plaintiff may not recover for injuries that are purely speculative, such as the potential risk of future identity theft, Plaintiffs’ Complaint alleges costs associated with actual data theft”) (Footnote omitted; emphasis supplied.) Id. See generally Resnick v. AvMed, Inc., 693 F.3d 1317, 1321-1324 (I) - (II), (V) (A) (11th Cir. 2012) (finding, pursuant to Florida law, that plaintiffs successfully stated a claim for, inter alia, negligence and breach of contract following the theft of company laptops containing their personal information, where they alleged “financial injury” as victims of identity theft and showed that, variously, third parties had opened bank accounts, changed a home address with the United States Postal Service, and activated credit cards, made 10 purchases in one plaintiff’s name, and opened and overdrawn an E*Trade account in another plaintiff’s name).4 Again, the Plaintiffs allege that their information has been compromised and that they have spent time placing fraud or credit alerts on their accounts and “anticipate” spending more time on these activities.5 Plaintiffs claim damages, specifying only the cost of identity theft protection, credit monitoring, and credit freezes to be maintained “over the course of a lifetime.” While credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the Plaintiffs seek only to recover for an increased risk of harm. See generally Parker v. Wellman, 230 Fed. Appx. 878, 883 (III) (A) (11th Cir. 2007) (“Plaintiffs have failed to point us to any Georgia authority that allows recovery of medical monitoring costs in the absence of a current physical injury, and Boyd[, supra] suggests that Georgia would not recognize such a 4 Other than decisions of the United States Supreme Court, we are not, of course, bound by federal law, though it is instructive. 5 As previously set forth, although one Plaintiff alleges she also spent time getting fraudulent charges reversed, she does not allege that the charges were related to or caused by the data breach. See generally Resnick, supra at 1330-1332 (discussion, in dissent, of view that plaintiffs failed to state a claim where complaint did not allege plausible basis for finding that defendant caused plaintiffs to suffer identity theft). 11 claim”) (citation and footnote omitted). We find that, as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs, which are designed to ward off exposure to future, speculative harm, are insufficient to state a cognizable claim under Georgia law. See Common Cause/Georgia v. Campbell, 268 Ga. App. 599, 600, 602 (2) (602 SE2d 333) (2004) (where defendant argued that plaintiff lacked standing and failed to state a claim, this Court upheld motion to dismiss because relief sought was not legally cognizable). (b) Breach of implied contract claim. Plaintiffs also argue that the trial court erred in dismissing their claim for breach of implied contract, arguing that they provided their PII to AOC as a required part of receiving care from AOC, and that, in return, AOC promised to safeguard their PII and timely notify them if it was compromised.6 For the reasons outlined in Division (1) (a), in that the Plaintiffs have not alleged a legally cognizable claim, their claim for breach of implied contract also must fail. “The elements for a breach of contract claim in Georgia are the (1) breach 6 AOC contends that there can be no implied contract because an express contract exists between AOC and its patients. 12 and the (2) resultant damages (3) to the party who has the right to complain about the contract being broken.” (Citation and punctuation omitted.) Roberts v. JP Morgan Chase Bank, Nat. Assoc., 342 Ga. App. 73, 76 (1) (802 SE2d 880) (2017). As outlined above, the harms alleged in the complaint are too speculative under our law to constitute “damages” and the Plaintiffs seek a prophylactic recovery, for which our law does not provide. Plaintiffs argue that costs such as identity theft protection, credit monitoring, and costs associated with a credit freeze are “classic measures of consequential damages” because they are incurred to mitigate “foreseeable” damages. However, mitigation damages lessen the severity of an injury that already has taken place; if no injury occurred, there is no legally cognizable harm to mitigate. See OCGA § 13-6-5 (“[w]here by a breach of contract a party is injured, he is bound to lessen the damages as far as is practicable . . . “) (emphasis supplied). See generally Lyon v. Schramm, 291 Ga. App. 48, 52 (661 SE2d 178) (2008) (absent injury, there is no duty to mitigate). Thus, since Plaintiffs here have not yet suffered a compensable injury, the costs they reference are prophylactic and may not be recovered as consequential damages. 13 (c) Declaratory judgment claim. Plaintiffs argue on appeal that the trial court erred in dismissing their declaratory judgment claim. In their complaint, Plaintiffs sought a declaration that AOC is not in compliance with its “existing obligations, and that [AOC] must implement specific additional, prudent security practices” and “provide credit monitoring and identity theft protection” to the Plaintiffs. As an initial matter, Plaintiffs cite to no Georgia authority requiring AOC to provide them with credit monitoring or identity theft protection at this juncture, nor do we discern any. Further, although Plaintiffs contend that they “need court guidance to protect them from the uncertainty of AOC’s inability to safeguard their PII[,]” the pleadings do not actually show any uncertainty which a declaration by a court would resolve. [A] declaratory judgment may not be granted in the absence of a justiciable controversy. The plaintiff must show facts or circumstances whereby it is in a position of uncertainty or insecurity because of a dispute and of having to take some future action which is properly incident to its alleged right, and which future action without direction from the court might reasonably jeopardize its interest. (Citation and punctuation omitted.) Effingham County Bd. of Com’rs v. Effingham County Indus. Dev. Auth., 286 Ga. App. 748, 749 (650 SE2d 274) (2007). “[W]hen 14 a party seeking declaratory judgment does not show it is in a position of uncertainty as to an alleged right, dismissal of the declaratory judgment action is proper.” (Citations omitted.) SAWS at Seven Hills, LLC v. Forestar Realty, Inc., 342 Ga. App. 780, 783 (1) (805 SE2d 270) (2017). Here, Plaintiffs already have taken measures to protect themselves from negligent data security by placing alerts on their credit reports. The Plaintiffs “need no direction” to do so. Effingham County Bd. of Com’rs, supra at 750 (declaratory judgment improper where declaration sought addressed things that already had occurred). A declaration would do nothing to clarify Plaintiffs’ rights or their relationship with AOC, and dismissal was proper.7 (d) Claims under the Georgia Uniform Deceptive Trade Practices Act. Next, Plaintiffs argue that the trial court erred in dismissing their claims under the Georgia Uniform Deceptive Trade Practices Act (“the UDTPA”), OCGA § 10-1-370 et seq. We disagree. A person likely to be damaged by a deceptive trade practice of another may be granted an injunction against it under the principles of equity 7 To the extent that the Plaintiffs argue that the “uncertainity” is whether AOC should protect their confidential financial information, such argument is a non-starter. As far as we can tell, that AOC must protect this information is not a contested point, only whether AOC failed to do so and whether the Plaintiffs have suffered any damages therefrom. 15 and on terms that the court considers reasonable. Proof of monetary damage, loss of profits, or intent to deceive is not required. OCGA § 10-1-373 (a). See generally OCGA § 10-1-372. Without clearly indicating what injunctive relief they seek, the Plaintiffs argue that AOC engaged in, inter alia, unfair and deceptive trade practices by failing to provide reasonable and adequate security for their data, that AOC knew or should have known its data security was inadequate and its omissions regarding its ability to provide such security “was an act likely to mislead” Plaintiffs, that the data breach left AOC’s systems “even more vulnerable to future unauthorized action,” and that Plaintiffs “will suffer damages in the future” including the cost of identity theft protection and credit monitoring. The UDTPA offers only injunctive relief where the plaintiff has established a likelihood of damage. See generally Moore-Davis Motors, Inc. v. Joyner, 252 Ga. App. 617, 619 (3) (556 SE2d 137) (2001). The UDTPA does not address past harm. Cattrett v. Landmark Dodge, Inc., 253 Ga. App. 639, 644 (3) (560 SE2d 101) (2002). To state a claim and to establish standing under the UDTPA, Plaintiffs must allege that they are likely to be damaged in the future by an unfair trade practice. See OCGA § 10-1-373 (a). Friedlander v. HMS-Pep Products, Inc., 226 Ga. App. 123, 124-125 (1) (a) (485 SE2d 240) (1997) (To establish standing under the UDTPA, plaintiff 16 must show a likelihood of future damage). Accord Iler Group, Inc. v. Discrete Wireless, Inc., 90 FSupp3d 1329, 1342 (III) (B) (1) (N. D. Ga. 2015) (discussing statutory standing under the UDTPA). See also Bolinger v. First Multiple Listing Svc., Inc., 838 FSupp2d 1340, 1365 (V) (B) (N. D. Ga. 2012) (discussing statement of claim under UDTPA). Plaintiffs do not allege any future, nonspeculative harm which an injunction would remedy.8 It is impossible to say whether the Dark Overlord or anyone else with access to the stolen data actually will use that data. To receive relief, “[a]t the very minimum, [Plaintiffs] must show some causal connection between something [AOC] has done and [their] own nonspeculative damages[.]” (Emphasis supplied.) Friedlander, supra at 125 (1) (a) (plaintiff failed to show likelihood of damage by competitors’ weight loss products where plaintiff had not yet marketed his own weight loss product). The trial court did not err. (e) Unjust enrichment claim. Plaintiffs argue that the trial court erred in dismissing their claim for unjust enrichment. The Plaintiffs’ claim for unjust enrichment is predicated upon AOC’s alleged failure to provide reasonable security 8 Indeed, given that the data has already been exposed to the Dark Overlord, we are unable to determine how the injunction would provide any benefit to the Plaintiffs, or even what it would enjoin. 17 for their data and its “fail[ure] to disclose” to Plaintiffs that “its computer systems and security practices were inadequate to protect their PII against theft.”9 Unjust enrichment is an equitable concept and applies when as a matter of fact there is no legal contract, but when the party sought to be charged has been conferred a benefit by the party contending an unjust enrichment which the benefitted party equitably ought to return or compensate for. A claim for unjust enrichment is not a tort, but an alternative theory of recovery if a contract claim fails. (Citations and punctuation omitted.) Wachovia Ins. Svcs., Inc. v. Fallon, 299 Ga. App. 440, 449 (6) (682 SE2d 657) (2009).10 Here, Plaintiffs “did not plead unjust enrichment as an alternate theory of recovery based on a failed contract. Thus, [their] 9 In this claim, Plaintiffs again seek “free” credit monitoring and identity theft protection, and “restitution” of payments they may have made for such services. See Zampatti v. Tradebank Intl. Franchising Corp., 235 Ga. App. 333, 340 (5) (508 SE2d 750) (1998) (“benefit is measured from the standpoint of the [defendant] upon whom such benefits were conferred . . . and not upon the cost [to the plaintiff] to render the service of cost of the goods”). 10 Plaintiffs’ unjust enrichment claim is somewhat different in structure from that outlined by our statute. OCGA § 9-2-7 provides, “Ordinarily, when one renders a service or transfers property which is valuable to another, which the latter accepts, a promise is implied to pay the reasonable value thereof.” Here, Plaintiffs essentially argue that they paid money for medical care, to which personal data security was an incidental, yet included, term of such contract. 18 claim for such relief cannot succeed.” (Citation omitted.) Cash v. LG Electronics, Inc., 342 Ga. App. 735, 742 (2) (804 SE2d 713) (2017). (f) Attorney fees. Plaintiffs argue that the trial court erred in dismissing their claim for attorney fees under OCGA § 13-6-11. However, attorney fees and litigation expenses under OCGA § 13-6-11 are “ancillary and recoverable only where other elements of damage are recoverable on the underlying claim[s].” (Citation and punctuation omitted.) Sparra v. Deutsche Bank Nat. Trust Co., 336 Ga. App. 418, 423 (1) (f) (785 SE2d 78) (2016). Because of our decision in Division (2) (a) - (e), this claim does not survive. Judgment affirmed. Rickman, J., concurs. McFadden, P. J., concurs in Division 1 and dissents in Division 2.* *DIVISION 2 OF THIS OPINION IS PHYSICAL PRECEDENT ONLY. SEE COURT OF APPEALS RULE 33.2. A18A0296. COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC. MCFADDEN, Presiding Judge, concurring in part and dissenting in part. Athens Orthopedic Clinic filed a two-part motion to dismiss: it moved to dismiss the entire complaint under OCGA § 9-11-12 (b) (1) due to lack of subjectmatter jurisdiction because of the plaintiffs’ alleged lack of standing, and it moved to dismiss each claim for relief under OCGA § 9-11-12 (b) (6) due to the failure to state a claim. I would reverse the trial court’s order granting the motion to dismiss because the plaintiffs have alleged facts sufficient to establish their standing. I would remand the case for further proceedings. So I dissent to Division 2 of the majority opinion. I concur in Division 1 because I agree with the majority that the 2 plaintiffs failed to demonstrate that the trial court considered matters outside the complaint, given the trial court’s explicit statement otherwise. 1. Standing is jurisdictional and should be addressed at the outset. The majority does not address the issue of standing, instead implicitly pretermitting the issue and affirming the order of dismissal on the ground that the plaintiffs fail to state any claims. But standing “is jurisdictional and must be assessed before reaching the merits.” Byrd v. United States, __ U. S. __, __ (IV) (138 SCt 1518, 200 LE2d 805) (2018). “Jurisdiction of a court to afford the relief sought is a matter which should be decided preliminarily, at the outset. Jurisdiction either exists or does not exist without regard to the merit of the case.” Whitlock v. Barrett, 158 Ga. App. 100, 103 (279 SE2d 244) (1981). See also Ruhrgas Ag v. Marathon Oil Co., 526 U.S. 574, 577 (119 SCt 1563, 143 LE2d 760) (1999) (federal courts may not pretermit the issue of jurisdiction even where the merits question is more readily resolved and the prevailing party on the merits would be the same as the prevailing party were jurisdiction denied). Standing requires, among other things, that the plaintiffs have suffered an “injury in fact.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (II) (112 SCt 2130, 119 LE2d 351) (1992). And injury in fact is necessary for any cause of 3 action the plaintiffs might claim, so an analysis of the standing issue is logically precedent to an analysis of the plaintiffs’ particular causes of action. Accordingly I would address the issue of standing.1 2. The merits of the standing issue. This case presents an issue of first impression for our court. Neither we, the Georgia Supreme Court, nor the Eleventh Circuit have decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing. See Resnick v. AvMed, 693 F3d 1317, 1323 (III) n. 1 (11th Cir. 2012) (“Some of our sister Circuits have found that even the threat of future identity theft is sufficient to confer standing in similar circumstances. As Plaintiffs have alleged only actual—not speculative—identity theft, we need not address the issue of whether speculative identity theft would be sufficient to confer standing.” ) (citations omitted). But the federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing. 1 The trial court did not specify whether he was granting the motion to dismiss under OCGA § 9-11-12 (b) (1) or (b) (6). Such a specification is important. For one thing, dismissals under OCGA § 9-11-12 (b) (1) are without prejudice, Pinnacle Benning, LLC v. Clark Realty Capital, LLC, 314 Ga. App. 609, 618 (2) (a) (724 SE2d 894) (2012), while dismissals under OCGA § 9-11-12 (b) (6) are on the merits and with prejudice. Jordan, Jones & Goulding v. Balfour Beatty Constr., 246 Ga. App. 93, 93 (1) (539 SE2d 828) (2000). See also OCGA § 9-11-41 (b). 4 And applying that rule here, leads to the conclusion that the plaintiffs have standing. “(I)n the absence of our own authority we frequently have looked to United States Supreme Court precedent concerning Article III [(U. S. Const., Art. III, §2)] standing to resolve issues of standing to bring a claim in Georgia’s courts.” Center for a Sustainable Coast v. Turner, 324 Ga. App. 762, 764 (751 SE2d 555) (2013) (citation and punctuation omitted). Under that authority, the United States Supreme Court has held, “[a]n injury sufficient to satisfy Article III must be concrete and particularized and actual or imminent, not conjectural or hypothetical[, but a]n allegation of future injury may suffice if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, __ U. S. __, __ (III) (A) (134 SCt 2334, 189 LE2d 246) (2014) (citations and punctuation omitted; emphasis supplied). And the United States Circuit Courts of Appeal have, of course, uniformly applied that rule. See, e.g., Klayman v. President of the United States, 689 F. Appx. 921, 923 (11th Cir. 2017) (“An allegation of future injury may suffice if the threatened injury is substantially certain to occur.”); Reddy v. Foster, 845 F3d 493, 500 (II) (A) (1st Cir. 2017); Kenny v. Wilson, 885 F3d 280, 287 (II) 5 (4th Cir. 2018). See also Parker v. Leeuwenburg, 300 Ga. 789, 796 (2) (797 SE2d 908) (2017) (Peterson, J., dissenting) (“Evidence of future injury may suffice to constitute an injury in fact if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”) (citation and punctuation omitted; emphasis added). We should follow the rule uniformly adopted by the federal courts. Applying the rule here leads to the conclusion that the plaintiffs have standing. The plaintiffs allege that due to the hackers2 obtaining their personal information, there is an “imminent threat that their personal information will be used to their detriment.” They allege that the FBI had warned that health care systems were at risk of hacking because of “a higher financial payout for medical records in the black market,” implying that such information is at risk of being offered for sale. They allege that their personally identifiable information, including insurance policy identification numbers, home addresses, dates of birth, ages, phone numbers, email addresses, and social security numbers, was offered for sale, and some of the information was posted to a public file-sharing storage 2 I would not indulge these thieves by using the comically grandiose name they have given themselves. They are common criminals, and we should not glamorize them. 6 website that facilitates the sharing of online data. The plaintiffs allege that they and other potential class members “face the imminent and substantial risk of future injury.” One of the named plaintiffs already had fraudulent charges made using her credit card. The plaintiffs’ allegations of future injury show a substantial risk that harm will occur. The allegations thus suffice to establish standing. Compare Ree v. Zappos.com, 888 F3d 1020 (9th Cir. 2018) (customers whose personal identifying information, including names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information, was allegedly stolen by hackers, but who did not allege that the information had been used to conduct financial transactions, had Article III standing to bring class action based on a substantial risk that the hackers would commit identity fraud or identity theft); Attias v. Carefirst, 865 F3d 620, 629 (D.C. Cir. 2017), cert. denied, (“[n]o long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs [who were victims of a data breach] will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken”); Galaria v. Nationwide Mut. Ins. Co., 663 F. Appx. 384, 388 (6th Cir. 7 2016) (plaintiffs, whose personal information was stolen when defendant’s network was hacked, adequately alleged Article III standing because they alleged that the theft of their personal data placed them at a continuing, increased risk of fraud and identity theft, that their injuries were fairly traceable to defendant’s conduct, and a favorable verdict would provide redress); Remijas v. Neiman Marcus Group, LLC, 794 F3d 688, 693 (7th Cir. 2015) (“Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”) with Katz v. Pershing, LLC, 672 F3d 64, 80 (1st Cir. 2012) (plaintiff’s increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or impending injury” because plaintiff failed to “identify any incident in which her data has ever been accessed by an unauthorized person”); and Reilly v. Ceridian Corp., 664 F3d 38, 42 (3d Cir. 2011) (allegations of possible future injury insufficient to satisfy standing requirements). Because I would find that the plaintiffs established standing by alleging an injury in fact, I would reverse the trial court. I would remand the case for the trial 8 court to reconsider Athens Orthopedic Clinic’s 12 (b) (6) motion in light of this finding. 9
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
