What harm does a person whose personal information was stolen have to show to proceed with a claim?

Collins et al v Athens Orthopedic Clinic, P.A. (S19G0007),

Data breaches seem to occur on an almost daily basis, with hundreds, thousands, or millions of individual’s personal information becoming available for identity theft. In December 2019, the Georgia Supreme Court gave some definition to the landscape of data breach claims for potential plaintiffs in Georgia, clarifying how much harm caused by a data breach is enough harm to bring a tort claim.

What does a plaintiff have to show to prove damages in a data breach case?

Although this case turns on a procedural point, in making its decision the Court provided insight into what a plaintiff has to do to show that he or she has suffered harm as a result of data breach. Showing harm (or, injury, or damages) is a necessary condition for success on a tort claim. The reason that both the trial court and the Court of Appeals in Georgia dismissed the plaintiffs’ claims in the present case is that those courts felt that they hadn’t shown they’d suffered a “cognizable injury.” The Supreme Court felt differently.

This case begins with the beach of data from a Clinic in Athens in 2016: an anonymous hacker stole the plaintiffs’ and at least 200,000 other patients’ personal information, including credit card information, Social Security numbers, dates of birth, and addresses. The hackers then tried to blackmail the defendant Clinic, but the Clinic refused to pay. The hackers put at least some of the stolen information on the web, accessible to the public. The Clinic let its patients, including the plaintiffs, know about the hack in August 2016.

The lower courts dismissed the plaintiffs’ claim because they judged that the plaintiffs’ had failed to show that they had suffered clear harm as a result of the data breach. None of the plaintiffs showed that their personal information had been used in ways that injured them: no credit card accounts were opened, no fraudulent checks written, no fake tax refunds submitted. And while the plaintiffs had spent time and money contacting credit agencies to notify them of the breach, the lower courts thought that these harms were too speculative to constitute the basis for a negligence claim against the clinic. Hence, the dismissals.

The Supreme Court, in contrast, did rule that the plaintiffs had brought a cognizable claim.

To bring a case, plaintiffs only had to show that it was possible that they are “now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’ ” 

The Court noted that two cases that the Court of Appeals had relied on were inapplicable to the present case, for two reasons. Finnerty v. State Bank & Trust (301 Ga. App. 569) appealed a grant of summary judgment for the plaintiff bank. The defendant in this case had claimed that the bank had included his social security number in an exhibit to the complaint. Thus, the defendant here complained that a breach of the plaintiff’s data had caused harm. The Finnerty Court ruled that this injury was too speculative — it wasn’t “cognizable,” and thus granted summary judgment for the bank. A merely possible, or even probable, harm from the release of personal data was not considered sufficient.

In Rite Aid Georgia v. Peacock (315 Ga. App. 573) the defendant pharmacy sold its customers’ medication information to another pharmacy. Here, the Court of Appeals again pointed out that the plaintiff could only speculate that the medication information would be used to cause harm to the plaintiff, and this was again insufficient to support a claim against the defendant.

The Supreme Court pointed out two differences between these cases and In the present case. First, the procedural aspect: the present case was a dismissal for lack of cause (that the plaintiff didn’t have a claim), while the two earlier cases were summary judgments. Since the standard that courts use to make each of these differs, the Supreme Court ruled that the lower court had erred in relying on these cases. The Court notes that “to avoid dismissal on summary judgment, a plaintiff must present evidence that raises a genuine issue of material fact.” The present case, however, comes from a grant of a motion to dismiss for failure to state a claim. A dismissal means that the plaintiff “would not be entitled to relief under any state of provable facts asserted in support” of the plaintiff’s allegations. These are two very different standards: the first requires actually providing the court with evidence, while the second merely requires the factual possibility that the alleged could happen.

Thus, to avoid dismissal, the plaintiffs in the present case only had to show that it was possible that are “now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’ ” The Supreme Court ruled that the plaintiffs had done just that, by showing that hackers had stolen their information with the intent of criminal activity (the blackmailing) and by sharing the information publicly, which also had the intent of criminal work against the plaintiffs.

The intent behind the loss of data can determine that harm from the loss is not overly speculative.

 The second error the Court of Appeals made in relying on its two cases was that the theft of data there differed from the theft here. In the two cases noted by the Court of Appeals, nothing about the loss of data indicates certainly that the loss was motivated by criminal intent, as it was in the present case. Thus, in Finnerty and Rite-Aid one must imagine a speculative chain of events following from the plaintiffs’ loss of personal information in order to claim that they’d be harmed as a result. In the case decided by the Supreme Court in December, in contrast, the data theft was clearly designed to fulfill a criminal end, since the hackers immediately tried to blackmail the Clinic, and, that failing, proceeding to post the information on a “dark web” site.

These matters to the side, the most interesting aspect of this decision from the point of view of plaintiffs is that the Court’s ruling makes clear that a person whose identity is stolen need not show that this theft has resulted in tangible harm in order for the person to bring a claim of negligence or breach of duty.

One final point of interest in this case is that the Court acknowledges that its line of reasoning aligns with current federal case law on the subject. In a new area of the law like this one, this kind of cross-jurisdictional support is more persuasive than otherwise.