Takeaway: Data breaches are now a fact of life, whether for card-carrying consumers or commercial entities victimized by hacking or otherwise required to deal with the consequences. Class action litigation often ensues, where tort claims such as claims for negligence and negligence per se are commonly asserted. Claims for negligence, however, require the breach of a recognized duty, and whether such a legal duty exists can turn on the statutes and case-law peculiar to a particular state. The Georgia Court of Appeals recently answered this question, ruling in McConnell v. Georgia Department of Labor, 814 S.E.2d 790, No. A16A0655, 2018 WL 2173252 (Ga. Ct. App. May 11, 2018), that a duty to safeguard personal information does not exist under Georgia common law. As the legislative and legal landscape continues to evolve in the data breach context, the question of whether a common law duty to safeguard personal information applies may likewise evolve in each of the 50 states.
In McConnell, Thomas McConnell filed a putative class action against the Georgia Department of Labor, asserting a negligence claim (among other claims) arising from the Department’s improper disclosure of personal information of McConnell and the putative class members. According to McConnell, an employee of the Georgia Department of Labor, while acting within the scope of his official employment, sent an email to approximately 1,000 Georgians who had applied to the Department for services such as unemployment benefits. Attached to the email was a spreadsheet identifying the name, social security number, home phone number, email address, and age of over 4,000 Georgians (including McConnell) who had registered for Department services. Based on this conduct, McConnell alleged a claim for the negligent disclosure of personal information, seeking, as damages, out-of-pocket costs (for credit monitoring and identity protection services), damages arising from the adverse impact to credit scores, and damages for the “fear, upset, anxiety and injury to peace and happiness related to the disclosure of [his] personal identifying information, …” 2018 WL 2173252, at *1.
The trial court dismissed the negligence claim, ruling “there is no legal duty [under Georgia law] to safeguard personal information.” Id. at *5. McConnell appealed this decision to the Georgia Court of Appeals. In a prior appellate decision in the same case (in 2016), the appellate court affirmed the trial court on the merits, explaining that Georgia’s Legislature only imposed “notice” obligations after a data breach has occurred and had not imposed “any standard of conduct in implementing and maintaining data security practices.” McConnell v. Ga. Dep’t of Labor, 787 S.E.2d 794, 799 (Ga. Ct. App. 2016). But the Georgia Supreme Court vacated that decision, ruling that the Court of Appeals first should have addressed the threshold issue of sovereign immunity before turning to the merits. McConnell v. Ga. Dep’t of Labor, 805 S.E.2d 79 (Ga. 2017).
On remand, the Court of Appeals again addressed the merits, after ruling that McConnell’s tort claims fell within Georgia’s waiver of sovereign immunity in the Georgia Tort Claims Act. 814 S.E.2d 790, 2018 WL 2173252, at * 2-*4. On the merits issue, the Court of Appeals reiterated that duty is an essential element of any action for negligence, and that whether such a duty exists is a question of law. “The duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the caselaw.” Id. (quoting Rasnick v. Krishna Hospitality, Inc., 713 S.E.2d 835, 837 (Ga. 2011)). McConnell argued that Georgia law recognized a common law duty “to safeguard and protect the personal information of another,” citing Georgia’s data breach notification statute and its Fair Business Practices Act. Id. at *6. But, according to the Georgia appellate court, neither statute gave rise to a common law duty.
Georgia’s data breach notification statute, the Georgia Personal Identity Protection Act (OCGA §§ 10–1–910 through 10–1–915 (the “GPIPA”)), did not give rise to a common law duty. The court ruled that, “despite the General Assembly’s aspirational...
