Collins et al. v. Athens Orthopedic Clinic, P.A.

Annotate this Case
Justia Opinion Summary

Plaintiffs alleged in 2016, an anonymous hacker stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients of Athens Orthopedic Clinic (“the Clinic”) from the Clinic’s computer databases. The hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified plaintiffs of the breach in August 2016. Each named plaintiff alleges that she has “spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.” Plaintiffs sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment, seeking damages based on costs related to credit monitoring and identity theft protection, as well as attorneys’ fees. They also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act (“UDTPA”), and a declaratory judgment to the effect that the Clinic must take certain actions to ensure the security of class members’ personal data in the future. The Clinic filed a motion to dismiss based on both OCGA 9-11-12 (b) (1) and OCGA 9-11-12 (b)(6), which the trial court granted summarily. The Georgia Supreme Court concluded the injury plaintiffs alleged they suffered was legally cognizable. Because the Court of Appeals held otherwise in affirming dismissal of plaintiffs’ negligence claims, the Supreme Court reversed that holding. Because that error may have affected the Court of Appeals’s other holdings, the Court vacated those other holdings and remanded the case.

Download PDF
In the Supreme Court of Georgia Decided: December 23, 2019 S19G0007. COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC, P.A. PETERSON, Justice. When a criminal steals consumers’ sensitive personal data, what do those consumers have to plead against the allegedly negligent business from whom the data was stolen to show a legally cognizable injury under Georgia tort law? The Court of Appeals has held in cases involving the exposure of personal information that the failure to show that the information had actually fallen into criminal hands, let alone that the information was used to the consumers’ detriment, meant that plaintiffs had failed to show a legally cognizable injury. But this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases. The plaintiffs here, current or former patients of the defendant medical clinic, brought a putative class action after the clinic informed them that a hacker had stolen their personal data from the clinic. We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable. Because the Court of Appeals held otherwise in affirming dismissal of the plaintiffs’ negligence claims, we reverse that holding. Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case. 1. Background The complaint, verified by each of the named plaintiffs, alleges that in June 2016 an anonymous hacker stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients of Athens Orthopedic Clinic (“the Clinic”) from the Clinic’s computer databases. Those current and former patients included named plaintiffs Christine Collins, Paulette Moreland, and Kathryn Strickland. According to the 2 allegations contained in the complaint, the hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified the plaintiffs of the breach in August 2016. The plaintiffs allege that because their personal data has been “compromised and made available to others on the dark web, criminals are now able to assume Class Members’ identit[ies] and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts, all in Class Members’ names.” Each named plaintiff alleges that she has “spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.” Collins also alleges that fraudulent charges to her credit card were made “[s]hortly” after the data breach and that she spent time getting the charges reversed by 3 the card issuer. And the complaint alleges that “[e]ven Class Members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.” In their suit against the Clinic, the plaintiffs sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment. They sought damages based on costs related to credit monitoring and identity theft protection, as well as attorneys’ fees. They also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act, OCGA § 10-1-370 et seq. (“UDTPA”), and a declaratory judgment to the effect that the Clinic must take certain actions to ensure the security of class members’ personal data in the future. The Clinic filed a motion to dismiss based on both OCGA § 9-11-12 (b) (1) and OCGA § 9-11-12 (b) (6), which the trial court granted summarily. A divided panel of the Court of Appeals affirmed. See Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13 (815 SE2d 639) (2018). The Court of Appeals concluded that the plaintiffs’ negligence claim 4 was properly dismissed because the plaintiffs “seek only to recover for an increased risk of harm.” Id. at 18 (2) (a). The majority concluded that although the credit monitoring and other precautionary measures alleged by the plaintiffs were “undoubtedly prudent,” they were “designed to ward off exposure to future, speculative harm” and thus “insufficient to state a cognizable claim under Georgia law.” Id.1 Then-Presiding Judge McFadden dissented from that holding, concluding that the plaintiffs had standing to bring their claims given that their allegations of future injury show a substantial risk that harm will occur. Id. at 22-25 (1)-(2) (McFadden, P.J., concurring The Court of Appeals majority explicitly held that the plaintiffs’ claim for breach of implied contract failed for the same reason that their negligence claim failed — they had not sufficiently alleged a cognizable injury. See Collins, 347 Ga. App. at 18-19 (2) (b). The majority’s incorrect resolution of the question of whether the plaintiffs had sufficiently pleaded a cognizable injury for negligence purposes may have affected its consideration of other claims, as well. The majority held that the declaratory judgment claim failed because the pleadings do not show any uncertainty that a court declaration would resolve; that the UDTPA claim was properly dismissed because the plaintiffs did not allege any future, nonspeculative harm that an injunction would remedy; and that the unjust enrichment claim failed because it was not pleaded as an alternate theory of recovery based on a failed contract. Collins, 347 Ga. App. at 19-22 (2) (c) - (e). These holdings should be revisited on remand. 1 5 in part and dissenting in part). We granted the plaintiffs’ petition for certiorari to consider whether the Court of Appeals erred in holding that the plaintiffs failed to allege a legally cognizable injury. We conclude that the plaintiffs did allege a cognizable injury. 2. The Georgia case law relied on by the Court of Appeals is inapplicable for two reasons. “It is well established that to recover for injuries caused by another’s negligence, a plaintiff must show four elements: a duty, a breach of that duty, causation[,] and damages.” Goldstein, Garber & Salama, LLC v. J.B., 300 Ga. 840, 841 (1) (797 SE2d 87) (2017) (citation and punctuation omitted). In other words, “before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.” Whitehead v. Cuffie, 185 Ga. App. 351, 353 (2) (364 SE2d 87) (1987); see also OCGA § 51-1-6 (“When the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage 6 thereby.” (emphasis added)); OCGA § 51-1-8 (“The violation of a private duty, accompanied by damage, shall give a right of action.” (emphasis added)); OCGA § 51-12-4 (“Damages are given as compensation for injury; generally, such compensation is the measure of damages where an injury is of a character capable of being estimated in money.”). [A] wrongdoer is not responsible for a consequence which is merely possible, according to occasional experience, but only for a consequence which is probable, according to ordinary and usual experience. . . . A fear of future damages is too speculative to form the basis for recovery. Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 572 (4) (687 SE2d 842) (2009) (citation and punctuation omitted), disapproved of on other grounds by Cumberland Contractors, Inc. v. State Bank & Trust Co., 327 Ga. App. 121, 125 (2) n.4 (755 SE2d 511) (2014); see also OCGA § 51-12-8 (“If the damage incurred by the plaintiff is only the imaginary or possible result of a tortious act or if other and contingent circumstances preponderate in causing the injury, such damage is too remote to be the basis of recovery against the wrongdoer.”). 7 Concluding that the plaintiffs had not sufficiently pleaded injury here, the Court of Appeals relied on two of its opinions addressing the exposure of sensitive personal information, Finnerty and Rite Aid of Georgia v. Peacock, 315 Ga. App. 573 (726 SE2d 577) (2012). In Finnerty, the matter came before the Court of Appeals on the grant of summary judgment against a civil case defendant who complained that the plaintiff bank had included his social security number in an exhibit to the civil complaint. 301 Ga. App. at 569. As one of several alternative bases for affirming the summary judgment order, the Court of Appeals concluded that the defendant’s state law counterclaims alleging that the bank’s action caused him injuries were “wholly speculative.” Id. at 572 (4). The court noted that the defendant had “failed to demonstrate that the Bank’s purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information as a result of the purported unlawful disclosure.” Id. And in Rite Aid, the Court of Appeals reversed a grant of class certification in a case arising from the 8 defendant pharmacy’s sale of its customers’ medication information to another pharmacy, concluding the trial court erred in finding that the named plaintiff and the proposed class of customers shared common questions of law and fact and that the named plaintiff was a sufficiently typical class representative. In particular, the Court of Appeals noted that the named plaintiff could only speculate that a criminal might associate with an employee of the new pharmacy who had access to his prescription information. 315 Ga. App. at 576-577 (1) (a) (i). The Court of Appeals in this case also relied on its prior opinion in Boyd v. Orkin Exterminating Co., 191 Ga. App. 38 (381 SE2d 295) (1989), overruled on other grounds by Hanna v. McWilliams, 213 Ga. App. 648, 651 (2) (b) (446 SE2d 741) (1994), in which the Court of Appeals affirmed a grant of partial summary judgment to the defendant pest control company on the plaintiffs’ suit alleging that the negligent application of pesticide in their home subjected their children to an increased risk of cancer. In particular, the Boyd court rejected the notion that the plaintiffs could recover for an alleged 9 increased risk of cancer as a result of the pest treatments, because, although the plaintiffs produced testimony that their children would require monitoring in the future to determine whether they developed health problems due to their exposure, they had fallen “far short” of establishing to a “reasonable medical certainty” that such consequences would occur. 191 Ga. App. at 40-41 (2) (citation and punctuation omitted). Although the plaintiffs in Boyd pointed to the presence of elevated levels of a certain metabolite in the children’s bloodstream, the record in that case provided no “indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind[.]” Id. at 40 (1). The Court of Appeals here relied on Finnerty and Rite Aid to conclude that “the fact of compromised data is not a compensable injury by itself in the absence of some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of a legal duty[,]” and therefore the plaintiffs here do not allege a legally cognizable injury. Collins, 347 Ga. App. at 15-16 (2) (citation 10 and punctuation omitted). And the court said that Boyd was a “fitting analogue” to this case, given that in both this case and Boyd, “the defendant’s alleged negligence exposed the Plaintiffs to a risk of harm which may or may not occur.” Id. at 16 (2). 2 But there are two fundamental differences between those cases and this one. (a) The key Georgia decisions relied on by the Court of Appeals were not issued in the context of a motion to dismiss. First, neither Finnerty, nor Rite Aid, nor Boyd was decided in the context of a motion to dismiss. Finnerty and Boyd were summary judgment cases, and Rite Aid involved a question of class certification. To avoid dismissal on summary judgment, a plaintiff must present evidence that raises a genuine issue of material fact. See Nguyen v. Southwestern Emergency Physicians, P.C., 298 Ga. The Court of Appeals also cited two other cases we need not address at length. First, it cited an unpublished Eleventh Circuit opinion surmising that Boyd “suggests that Georgia would not recognize” a claim for “recovery of medical monitoring costs in the absence of a current physical injury.” Parker v. Brush Wellman, Inc., 230 Fed. Appx. 878, 883 (11th Cir. 2007). That type of claim is not before us, and we express no opinion on the viability of such a claim. And second, it cited its own decision in Crawford Long v. Hardeman, 84 Ga. App. 306 (1951). But that summary opinion cited no authority for its conclusory analysis, and had never been cited until the decision below. We decline to extend that decision beyond its facts. 2 11 75, 82 (3) (775 SE2d 334) (2015). And to prevail on a request for class certification, a plaintiff must show with evidence that the requirements for certification are satisfied. See Georgia-Pacific Consumer Products v. Ratner, 295 Ga. 524, 526 (1) (762 SE2d 419) (2014). Therefore, it was not enough for the claimants in Finnerty and Rite Aid merely to allege that identity theft was a possible, or even likely, result of the opposing party’s actions. And it was not enough for the plaintiffs in Boyd merely to allege that it was possible, or even likely, that their children would develop cancer as a result of the pesticide application. Given the stages in which those cases presented themselves to the Court of Appeals, evidence beyond mere allegations was required in order for the claimants to prevail. Not so here. This case comes before us as an appeal from the grant of a motion to dismiss for failure to state a claim under OCGA § 9-11-12 (b) (6). Such a motion is properly granted when the plaintiff “would not be entitled to relief under any state of provable facts asserted in support” of the allegations in the complaint and “could not possibly introduce evidence within the framework of the 12 complaint sufficient to warrant a grant of the relief sought.” Austin v. Clark, 294 Ga. 773, 774-775 (755 SE2d 796) (2014) (citation omitted). In deciding such a motion, any doubts regarding the complaint must be construed in favor of the plaintiff. Id. at 775. 3 Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this We note, as did then-Presiding Judge McFadden, that the Clinic’s motion also sought dismissal for lack of subject matter jurisdiction under OCGA § 9-11-12 (b) (1), on the basis that the plaintiffs lacked standing to bring any claim against it, and the trial court’s order did not specify under which basis it granted the Clinic’s motion. See Collins, 347 Ga. App. at 23 (1) n.1 (McFadden, P.J., concurring in part and dissenting in part). A motion to dismiss for lack of subject matter jurisdiction may entail a “factual challenge” that requires consideration of evidence beyond the face of the complaint. See Douglas County v. Hamilton State Bank, 340 Ga. App. 801, 801 (798 SE2d 509) (2017). Although the Clinic’s motion included a link to a news article about the data breach, no evidence was introduced at the trial court’s hearing on the motion. Of course, a court cannot skip past a jurisdictional issue to resolve simpler merits questions, but has the duty to “raise the question of jurisdiction on its own motion whenever there may be any doubt as to its existence.” Scroggins v. Edmondson, 250 Ga. 430, 430 (1) (297 SE2d 469) (1982). But we conclude that the allegations that we determine are enough here to plead a legally cognizable injury are also sufficient in this procedural posture to satisfy the injury-in-fact element of standing. 3 13 case comes before us on a motion to dismiss, we must accept this factual allegation as true. (b) The Court of Appeals’s prior cases involved a sort of exposure of data fundamentally different than the actual data theft in this case. In addition to the differences in procedural posture, the facts of Finnerty and Rite Aid put them in a category different from that of this case. In neither Finnerty nor Rite Aid was there any reason to believe that the data in question had in fact fallen into a criminal’s hands; here, plaintiffs allege that their data was stolen by a criminal whose alleged purpose was to sell the data to other criminals. To conclude that the claimants in Finnerty and Rite Aid would likely suffer identity theft as a result of the opposing parties’ actions would have required a long series of speculative inferences, including that someone with malicious intent would obtain the data in the first place, that this person would attempt to use the data to steal the claimant’s identity or make the data available to someone who would attempt to do so, and that the would-be identity thief would succeed in fraudulent usage of the claimant’s identity. See also 14 McLoughlin v. People’s United Bank, Inc., 2009 WL 2843269, at *7*8 (Case No. 3:08-cv-00944 (VLB), D. Conn., decided Aug. 31, 2009) (where box containing backup tapes of electronic banking data was lost or stolen from truck with broken lock — with no indication that box was stolen for the data it contained — no injury under Connecticut tort law, as tapes “could have been inadvertently discarded or destroyed,” or “collecting dust in some forgotten warehouse,” and it “is only through speculation that one concludes that they are in possession of an individual who is driven to maliciously mine the tapes for the personal data that they contain”). Those cases are far different from this one. Here, the plaintiffs alleged that (1) a thief stole a large amount of personal data by hacking into a business’s computer databases and demanded a ransom for the data’s return, (2) the thief offered at least some of the data for sale, and (3) all class members now face the “imminent and substantial risk” of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file 15 tax refund returns, liquidate bank accounts, and open new accounts in their names. Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers. Moreover, an important part of the value of that data to anyone who would buy it in that fashion is its utility in committing identity theft. See Remijas v. Neiman Marcus Group, LLC, 794 F3d 688, 693 (7th Cir. 2015) (“[I]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the . . . data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”).4 Thus, we are much further along in the chain of inferences that one must Some of the federal authorities we cite in this opinion address whether there is injury in fact for purposes of standing under Article III of the United States Constitution. That analysis may well be different than whether a legally cognizable injury has been pled as a matter of Georgia tort law, but the question here is similar enough that these federal cases are still useful. 4 16 draw in order to conclude that the plaintiffs here likely will suffer identity theft.5 As explained above, showing injury as a result of the exposure of data is easier in a case like this, where the data exposure occurs as a result of an act by a criminal whose likely motivation is to sell the data to others. But that easier showing of injury may well be offset by a more difficult showing of breach of duty.6 Cf. Ga. Dept. of Labor v. McConnell, 305 Ga. 812, 815-816 (3) (a) (828 SE2d 352) (2019) (plaintiff failed to show that state agency owed him duty — As the case proceeds beyond the motion to dismiss stage, the plaintiffs will need to support their claim of injury with evidence about the extent to which they face an imminent and substantial risk of identity theft. Moreover, that risk may become either easier or more difficult to prove as time goes on and the plaintiffs do or do not experience actual identity theft. 6 Proving that the plaintiff’s injuries were proximately caused by the breach may also be more difficult. See Goldstein, Garber & Salama, 300 Ga. at 842-843 (1) (trial court should have granted dental practice’s motion for directed verdict, as practice could not have foreseen that independent contractor nurse anesthetist would molest plaintiff patient, and thus proximate causation could not be shown); see also Resnick v. AvMed, Inc., 693 F3d 1317, 1330-1332 (11th Cir. 2012) (William Pryor, J., dissenting) (arguing that Florida law claims filed in federal court should have been dismissed under applicable federal pleading standard, as plaintiffs failed to plead facts rendering plausible their allegation that identity thieves obtained sensitive information as a result of theft of defendant’s computers, as opposed to from a third party). 5 17 under either OCGA § 10-1-393.8, OCGA § 10-1-910, or purported common law duty “to all the world not to subject others to an unreasonable risk of harm” — to protect their personal information from inadvertent, negligent disclosure (citation and punctuation omitted)). This case is at the motion to dismiss stage, and the Court of Appeals’s decision did not turn on this issue, so we leave it for another day. 7 3. The plaintiffs’ negligence claim should not have been dismissed for failure to allege a cognizable injury. Construing the plaintiffs’ allegations — particularly that criminals are able to assume their identities fraudulently as a result of the data breach and that the risk of such identity theft is “imminent and substantial” — in the light most favorable to the plaintiffs, we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the We recognize that this case involves a fairly new kind of injury. As a court, we discharge our duty to apply traditional tort law to that injury. But that traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this, tradeoffs that may well be better resolved by the legislative process. 7 18 complaint. The plaintiffs allege that their personal data has been stolen on a mass scale by a criminal, who in turn has offered it for sale to other criminals. They also allege that, as a result, criminals are able to assume their identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. These allegations raise more than a mere specter of harm. See Attias v. Carefirst, Inc., 865 F3d 620, 629 (D.C. Cir. 2017) (“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”). These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims. Our conclusion that dismissal of the negligence claims for lack of injury is not warranted at this stage does not depend on the plaintiffs’ allegations that the breach has caused them to spend money attempting to mitigate the consequences of the breach by 19 avoiding actual identity theft. Although this may represent all or some measure of the plaintiffs’ damages to date, their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation. 8 4. Our conclusion is consistent with recent federal decisions applying Georgia law. Recent persuasive federal district court decisions applying Georgia law in similar cases are consistent with our conclusion that the plaintiffs have pleaded a legally cognizable injury here. In litigation arising from hackers’ theft of the credit cardholder information of Arby’s customers, a district court rejected the defendant’s argument that the consumer plaintiffs’ negligence Our conclusion also does not depend on the allegation that one named plaintiff already has experienced identity theft. The Court of Appeals implicitly rejected a negligence claim based on this allegation, citing a failure to allege that the fraudulent charges were related to or caused by the data breach. Collins, 347 Ga. App. at 18 (2) (a) n.5. And although the plaintiffs sought review of this aspect of the Court of Appeals decision, we did not grant certiorari on issues of causation, and we express no opinion on those issues. We note, however, that the Clinic’s counsel acknowledged at oral argument before this Court that “a general allegation of causation is usually sufficient to carry the plaintiff’s burden” at the motion to dismiss stage. 8 20 claims should be dismissed because they had not suffered “any outof-pocket loss.” See In re Arby’s Restaurant Group Inc. Litigation, 2018 WL 2128441, at *11 (Civil Action No. 1:17-cv-0514-AT, N.D. Ga., decided March 5, 2018). Although the plaintiffs had alleged unauthorized charges on their credit card accounts — i.e., actual identity theft — the court also pointed to alleged costs associated with detection and prevention of identity theft in concluding that the allegations of injury were sufficient. Id. (“While Arby’s is correct that a plaintiff may not recover for injuries that are purely speculative, such as the potential risk of future identity theft, Plaintiffs’ Complaint alleges costs associated with actual data theft.” (emphasis added)). 9 In another federal case over theft of consumers’ personal data The district court noted that the plaintiffs’ alleged monetary losses meant that it did not need to consider whether the plaintiffs’ other alleged injuries — for loss of use of funds and accounts, loss of productivity, time and effort in remediating the breach, and inability to receive card rewards — were cognizable under Georgia law. In re Arby’s, 2018 WL 2128441, at *11 n.12. But, noting a lack of authority cited by the parties on that question, the court added its view that “a consumer’s time and effort to remediate the effects of a breach is not an abstract notion of actual damage and one that is susceptible to proof and valuation by a jury.” Id. We express no opinion on that issue. 9 21 by hackers, a district court also rejected the defendants’ argument that the plaintiffs’ Georgia tort claims failed because they had not pleaded a legally cognizable injury. See In re Equifax, Inc., Customer Security Breach Litigation, 362 FSupp3d 1295, 1314-1317 (N.D. Ga. 2019). Again, although the plaintiffs’ allegations in that case included allegations that some members of the class had suffered actual identity theft, the district court also pointed to the allegations about a risk of identity theft, as well as measures to mitigate that risk, in concluding that the allegation of injury was sufficient: Plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the Data Breach. These allegations of actual injury are sufficient to support a claim for relief. Id. at *1315. 10 The district court in Equifax attempted to distinguish the Court of Appeals’s decision here on the basis that here “the plaintiffs alleged only an ‘increased risk of harm’ associated with taking precautionary measures,” whereas the Equifax plaintiffs “alleged a substantial and imminent risk of impending identity fraud due to the vast amount of information that was obtained in the Data Breach.” 362 FSupp3d at 1317 (quoting Collins, 347 Ga. 10 22 Although ultimately this Court is the final arbiter of the meaning of Georgia law, the district courts’ conclusions in these cases are somewhat more persuasive because, although those cases also came before district courts on motions to dismiss, they were subject to the more stringent pleading standards governing federal cases. Compare Ashcroft v. Iqbal, 556 U. S. 662, 679 (129 SCt 1937, 173 LE2d 868) (2009) (under federal law, legal conclusions recited in complaint “must be supported by factual allegations” that “plausibly give rise to an entitlement to relief”), with Dillingham v. Doctors Clinic, P.A., 236 Ga. 302, 303 (223 SE2d 625) (1976) (under Georgia law, complaint need only “give the defendant fair notice of what the claim is and a general indication of the type of litigation App. at 18). The district court noted that the Equifax plaintiffs also had “alleged that they have already incurred significant costs in response to the Data Breach” and many had “also already suffered forms of identity theft.” Id. This attempt to distinguish the Court of Appeals’s decision here is perplexing and ultimately unconvincing, however. Although the Court of Appeals used the phrase “increased risk of harm” to describe the plaintiffs’ allegations, Collins, 347 Ga. App. at 18 (2) (a), the plaintiffs here, like the Equifax plaintiffs, in fact have pleaded an “imminent and substantial risk” of identity theft. And the district court in Equifax specifically relied on the sort of allegations of credit monitoring made here in concluding that the plaintiffs had adequately pleaded both that they had suffered an injury, 362 FSupp3d at 1315, and that the injury was proximately caused by the data breach, id. at 1318-1319. 23 involved; the discovery process bears the burden of filling in details”). Because the Court of Appeals erred in concluding that the trial court properly dismissed the plaintiffs’ negligence claims due to failure to plead a legally cognizable injury, we reverse that holding. Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case. Judgment reversed in part, vacated in part, and case remanded. All the Justices concur. 24