COLLINS v. ATHENS ORTHOPEDIC CLINIC, P.A
Citation307 Ga. 555
Date Filed2019-12-23
DocketS19G0007
Cited31 times
StatusPublished
Full Opinion (html_with_citations)
307 Ga. 555
FINAL COPY
S19G0007. COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC,
P.A.
PETERSON, Justice.
When a criminal steals consumersâ sensitive personal data,
what do those consumers have to plead against the allegedly
negligent business from whom the data was stolen to show a legally
cognizable injury under Georgia tort law? The Court of Appeals has
held in cases involving the exposure of personal information that the
failure to show that the information had actually fallen into criminal
hands, let alone that the information was used to the consumersâ
detriment, meant that plaintiffs had failed to show a legally
cognizable injury. But this case, which was dismissed on the
pleadings despite allegations of large-scale criminal activity, falls
into a different category of data-exposure cases. The plaintiffs here,
current or former patients of the defendant medical clinic, brought
a putative class action after the clinic informed them that a hacker
had stolen their personal data from the clinic. We conclude that the
injury the plaintiffs allege that they have suffered is legally
cognizable. Because the Court of Appeals held otherwise in
affirming dismissal of the plaintiffsâ negligence claims, we reverse
that holding. Because that error may have affected the Court of
Appealsâs other holdings, we vacate those other holdings and
remand the case.
1. Background.
The complaint, verified by each of the named plaintiffs, alleges
that in June 2016 an anonymous hacker stole the personally
identifiable information, including social security numbers,
addresses, birth dates, and health insurance details, of at least
200,000 current or former patients of Athens Orthopedic Clinic (âthe
Clinicâ) from the Clinicâs computer databases. Those current or
former patients included named plaintiffs Christine Collins,
Paulette Moreland, and Kathryn Strickland. According to the
allegations contained in the complaint, the hacker demanded a
ransom, but the Clinic refused to pay. The hacker offered at least
2
some of the stolen personal data for sale on the so-called âdark web,â
and some of the information was made available, at least
temporarily, on Pastebin, a data-storage website. The Clinic notified
the plaintiffs of the breach in August 2016.
The plaintiffs allege that because their personal data has been
âcompromised and made available to others on the dark web,
criminals are now able to assume Class Membersâ identit[ies] and
fraudulently obtain credit cards, issue fraudulent checks, file tax
refund returns, liquidate bank accounts, and open new accounts, all
in Class Membersâ names.â Each named plaintiff alleges that she
has âspent time calling a credit reporting agency and placing a fraud
or credit alert on her credit report to try to contain the impact of the
data breach and anticipates having to spend more time and money
in the future on similar activities.â Collins also alleges that
fraudulent charges to her credit card were made â[s]hortlyâ after the
data breach and that she spent time getting the charges reversed by
the card issuer. And the complaint alleges that â[e]ven Class
Members who have not yet experienced identity theft or are not yet
3
aware of it nevertheless face the imminent and substantial risk of
future injury.â
In their suit against the Clinic, the plaintiffs sought class
certification and asserted claims for negligence, breach of implied
contract, and unjust enrichment. They sought damages based on
costs related to credit monitoring and identity theft protection, as
well as attorneysâ fees. They also sought injunctive relief under the
Georgia Uniform Deceptive Trade Practices Act, OCGA § 10-1-370
et seq. (âUDTPAâ), and a declaratory judgment to the effect that the
Clinic must take certain actions to ensure the security of class
membersâ personal data in the future. The Clinic filed a motion to
dismiss based on both OCGA § 9-11-12 (b) (1) and OCGA § 9-11-12
(b) (6), which the trial court granted summarily.
A divided panel of the Court of Appeals affirmed. See Collins
v. Athens Orthopedic Clinic, 347 Ga. App. 13(815 SE2d 639
) (2018).
The Court of Appeals concluded that the plaintiffsâ negligence claim
was properly dismissed because the plaintiffs âseek only to recover
for an increased risk of harm.â Id. at 18 (2) (a). The majority
4
concluded that although the credit monitoring and other
precautionary measures alleged by the plaintiffs were âundoubtedly
prudent,â they were âdesigned to ward off exposure to future,
speculative harmâ and thus âinsufficient to state a cognizable claim
under Georgia law.â Id.1
Then-Presiding Judge McFadden dissented from that holding,
concluding that the plaintiffs had standing to bring their claims
given that their allegations of future injury show a substantial risk
that harm will occur. Collins, 347 Ga. App. at 22-25 (1)-(2)
(McFadden, P. J., concurring in part and dissenting in part). We
granted the plaintiffsâ petition for certiorari to consider whether the
1 The Court of Appeals majority explicitly held that the plaintiffsâ claim
for breach of implied contract failed for the same reason that their negligence
claim failed â they had not sufficiently alleged a cognizable injury. See Collins,
347 Ga. App. at 18-19 (2) (b). The majorityâs incorrect resolution of the question
of whether the plaintiffs had sufficiently pleaded a cognizable injury for
negligence purposes may have affected its consideration of other claims, as
well. The majority held that the declaratory judgment claim failed because the
pleadings do not show any uncertainty that a court declaration would resolve;
that the UDTPA claim was properly dismissed because the plaintiffs did not
allege any future, nonspeculative harm that an injunction would remedy; and
that the unjust enrichment claim failed because it was not pleaded as an
alternate theory of recovery based on a failed contract. Collins, 347 Ga. App.
at 19-22 (2) (c) - (e). These holdings should be revisited on remand.
5
Court of Appeals erred in holding that the plaintiffs failed to allege
a legally cognizable injury. We conclude that the plaintiffs did allege
a cognizable injury.
2. The Georgia case law relied on by the Court of Appeals is
inapplicable for two reasons.
âIt is well established that to recover for injuries caused by
anotherâs negligence, a plaintiff must show four elements: a duty, a
breach of that duty, causation[,] and damages.â Goldstein, Garber &
Salama, LLC v. J. B., 300 Ga. 840, 841(1) (797 SE2d 87
) (2017) (citation and punctuation omitted). In other words, âbefore an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.â Whitehead v. Cuffie,185 Ga. App. 351, 353
(2) (364 SE2d 87
) (1987); see also OCGA § 51-1-6 (âWhen the law
requires a person to perform an act for the benefit of another or to
refrain from doing an act which may injure another, although no
cause of action is given in express terms, the injured party may
recover for the breach of such legal duty if he suffers damage
thereby.â (emphasis added)); OCGA § 51-1-8 (âThe violation of a
6
private duty, accompanied by damage, shall give a right of action.â
(emphasis added)); OCGA § 51-12-4 (âDamages are given as
compensation for injury; generally, such compensation is the
measure of damages where an injury is of a character capable of
being estimated in money.â).
[A] wrongdoer is not responsible for a consequence which
is merely possible, according to occasional experience, but
only for a consequence which is probable, according to
ordinary and usual experience. . . . A fear of future
damages is too speculative to form the basis for recovery.
Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 572(4) (687 SE2d 842
) (2009) (citation and punctuation omitted), disapproved of on other grounds by Cumberland Contractors, Inc. v. State Bank & Trust Co.,327 Ga. App. 121, 125
(2) n.4 (755 SE2d 511
) (2014); see
also OCGA § 51-12-8 (âIf the damage incurred by the plaintiff is only
the imaginary or possible result of a tortious act or if other and
contingent circumstances preponderate in causing the injury, such
damage is too remote to be the basis of recovery against the
wrongdoer.â).
Concluding that the plaintiffs had not sufficiently pleaded
7
injury here, the Court of Appeals relied on two of its opinions
addressing the exposure of sensitive personal information, Finnerty
and Rite Aid of Georgia v. Peacock, 315 Ga. App. 573(726 SE2d 577
) (2012). In Finnerty, the matter came before the Court of Appeals on the grant of summary judgment against a civil case defendant who complained that the plaintiff bank had included his social security number in an exhibit to the civil complaint.301 Ga. App. at 569
. As one of several alternative bases for affirming the summary judgment order, the Court of Appeals concluded that the defendantâs state law counterclaims alleging that the bankâs action caused him injuries were âwholly speculative.âId. at 572
(4). The court noted that the defendant had âfailed to demonstrate that the Bankâs purported unlawful disclosure made it âprobableâ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information as a result of the purported unlawful disclosure.âId.
And in Rite Aid, the Court of Appeals
reversed a grant of class certification in a case arising from the
defendant pharmacyâs sale of its customersâ medication information
8
to another pharmacy, concluding the trial court erred in finding that
the named plaintiff and the proposed class of customers shared
common questions of law and fact and that the named plaintiff was
a sufficiently typical class representative. In particular, the Court of
Appeals noted that the named plaintiff could only speculate that a
criminal might associate with an employee of the new pharmacy who
had access to his prescription information. 315 Ga. App. at 576-577
(1) (a) (i).
The Court of Appeals in this case also relied on its prior opinion
in Boyd v. Orkin Exterminating Co., 191 Ga. App. 38(381 SE2d 295
) (1989), overruled on other grounds by Hanna v. McWilliams,213 Ga. App. 648, 651
(2) (b) (446 SE2d 741
) (1994), in which the Court of
Appeals affirmed a grant of partial summary judgment to the
defendant pest control company on the plaintiffsâ suit alleging that
the negligent application of pesticide in their home subjected their
children to an increased risk of cancer. In particular, the Boyd court
rejected the notion that the plaintiffs could recover for an alleged
increased risk of cancer as a result of the pest treatments, because,
9
although the plaintiffs produced testimony that their children would
require monitoring in the future to determine whether they
developed health problems due to their exposure, they had fallen
âfar shortâ of establishing to a âreasonable medical certaintyâ that
such consequences would occur. 191 Ga. App. at 40-41(2) (citation and punctuation omitted). Although the plaintiffs in Boyd pointed to the presence of elevated levels of a certain metabolite in the childrenâs bloodstream, the record in that case provided no âindication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind[.]âId. at 40
(1).
The Court of Appeals here relied on Finnerty and Rite Aid to
conclude that âthe fact of compromised data is not a compensable
injury by itself in the absence of some loss or damage flowing to the
plaintiffâs legally protected interest as a result of the alleged breach
of the legal duty[,]â and therefore the plaintiffs here do not allege a
legally cognizable injury. Collins, 347 Ga. App. at 15-16 (2) (citation
and punctuation omitted). And the court said that Boyd was a
10
âfitting analogueâ to this case, given that in both this case and Boyd,
âthe defendantâs alleged negligence exposed Plaintiffs to a risk of
harm which may or may not occur.â Id. at 16 (2).2 But there are two
fundamental differences between those cases and this one.
(a) The key Georgia decisions relied on by the Court of Appeals
were not issued in the context of a motion to dismiss.
First, neither Finnerty, nor Rite Aid, nor Boyd was decided in
the context of a motion to dismiss. Finnerty and Boyd were summary
judgment cases, and Rite Aid involved a question of class
certification. To avoid dismissal on summary judgment, a plaintiff
must present evidence that raises a genuine issue of material fact.
See Nguyen v. Southwestern Emergency Physicians, P.C., 298 Ga.
75, 82(3) (779 SE2d 334
) (2015). And to prevail on a request for class
2 The Court of Appeals also cited two other cases we need not address at
length. First, it cited an unpublished Eleventh Circuit opinion surmising that
Boyd âsuggests that Georgia would not recognizeâ a claim for ârecovery of
medical monitoring costs in the absence of a current physical injury.â Parker
v. Brush Wellman, Inc., 230 Fed. Appx. 878, 883(III) (A) (11th Cir. 2007). That type of claim is not before us, and we express no opinion on the viability of such a claim. And second, it cited its own decision in Crawford Long Mem. Hosp. v. Hardeman,84 Ga. App. 306
(66 SE2d 67
) (1951). But that summary opinion
cited no authority for its conclusory analysis, and had never been cited until
the decision below. We decline to extend that decision beyond its facts.
11
certification, a plaintiff must show with evidence that the
requirements for certification are satisfied. See Georgia-Pacific
Consumer Products v. Ratner, 295 Ga. 524, 526(1) (762 SE2d 419
)
(2014). Therefore, it was not enough for the claimants in Finnerty
and Rite Aid merely to allege that identity theft was a possible, or
even likely, result of the opposing partyâs actions. And it was not
enough for the plaintiffs in Boyd merely to allege that it was
possible, or even likely, that their children would develop cancer as
a result of the pesticide application. Given the stages in which those
cases presented themselves to the Court of Appeals, evidence beyond
mere allegations was required in order for the claimants to prevail.
Not so here. This case comes before us as an appeal from the
grant of a motion to dismiss for failure to state a claim under OCGA
§ 9-11-12 (b) (6). Such a motion is properly granted when the
plaintiff âwould not be entitled to relief under any state of provable
facts asserted in supportâ of the allegations in the complaint and
âcould not possibly introduce evidence within the framework of the
complaint sufficient to warrant a grant of the relief sought.â Austin
12
v. Clark, 294 Ga. 773, 774-775(755 SE2d 796
) (2014) (citation and punctuation omitted). In deciding such a motion, any doubts regarding the complaint must be construed in favor of the plaintiff.Id. at 775
.3
Here, the plaintiffs allege that criminals are now able to
assume their identities fraudulently and that the risk of such
identity theft is âimminent and substantial.â This amounts to a
factual allegation about the likelihood that any given class member
will have her identity stolen as a result of the data breach. As this
3 We note, as did then-Presiding Judge McFadden, that the Clinicâs
motion also sought dismissal for lack of subject matter jurisdiction under
OCGA § 9-11-12 (b) (1), on the basis that the plaintiffs lacked standing to bring
any claim against it, and the trial courtâs order did not specify under which
basis it granted the Clinicâs motion. See Collins, 347 Ga. App. at 23 (1) n.11
(McFadden, P. J., concurring in part and dissenting in part). A motion to
dismiss for lack of subject matter jurisdiction may entail a âfactual challengeâ
that requires consideration of evidence beyond the face of the complaint. See
Douglas County v. Hamilton State Bank, 340 Ga. App. 801, 801(798 SE2d 509
) (2017). Although the Clinicâs motion included a link to a news article about the data breach, no evidence was introduced at the trial courtâs hearing on the motion. Of course, a court cannot skip past a jurisdictional issue to resolve simpler merits questions, but has the duty to âraise the question of jurisdiction on its own motion whenever there may be any doubt as to its existence.â Scroggins v. Edmondson,250 Ga. 430, 430
(1) (297 SE2d 469
) (1982). But we
conclude that the allegations that we determine are enough here to plead a
legally cognizable injury are also sufficient in this procedural posture to satisfy
the injury-in-fact element of standing.
13
case comes before us on a motion to dismiss, we must accept this
factual allegation as true.
(b) The Court of Appealsâs prior cases involved a sort of exposure
of data fundamentally different than the actual data theft in this
case.
In addition to the differences in procedural posture, the facts
of Finnerty and Rite Aid put them in a category different from that
of this case. In neither Finnerty nor Rite Aid was there any reason
to believe that the data in question had in fact fallen into a criminalâs
hands; here, plaintiffs allege that their data was stolen by a criminal
whose alleged purpose was to sell the data to other criminals. To
conclude that the claimants in Finnerty and Rite Aid would likely
suffer identity theft as a result of the opposing partiesâ actions would
have required a long series of speculative inferences, including that
someone with malicious intent would obtain the data in the first
place, that this person would attempt to use the data to steal the
claimantâs identity or make the data available to someone who
would attempt to do so, and that the would-be identity thief would
succeed in fraudulent usage of the claimantâs identity. See also
14
McLoughlin v. Peopleâs United Bank, Inc., 2009 WL 2843269, at *7-
*8 (Case No. 3:08-cv-00944 (VLB), D. Conn., decided Aug. 31, 2009)
(where box containing backup tapes of electronic banking data was
lost or stolen from truck with broken lock â with no indication that
box was stolen for the data it contained â no injury under
Connecticut tort law, as tapes âcould have been inadvertently
discarded or destroyed,â or âcollecting dust in some forgotten
warehouse,â and it âis only through speculation that one concludes
that they are in possession of an individual who is driven to
maliciously mine the tapes for the personal data that they containâ).
Those cases are far different from this one.
Here, the plaintiffs alleged that (1) a thief stole a large amount
of personal data by hacking into a businessâs computer databases
and demanded a ransom for the dataâs return, (2) the thief offered
at least some of the data for sale, and (3) all class members now face
the âimminent and substantial riskâ of identity theft given criminalsâ
ability to use the stolen data to assume the class membersâ identities
and fraudulently obtain credit cards, issue fraudulent checks, file
15
tax refund returns, liquidate bank accounts, and open new accounts
in their names. Assuming the truth of these allegations, as we must
at this stage, we must presume that a criminal actor has maliciously
accessed the plaintiffsâ data and has at least attempted to sell at
least some of the data to other wrongdoers. Moreover, an important
part of the value of that data to anyone who would buy it in that
fashion is its utility in committing identity theft. See Remijas v.
Neiman Marcus Group, LLC, 794 F3d 688, 693 (7th Cir. 2015) (â[I]t
is plausible to infer that the plaintiffs have shown a substantial risk
of harm from the . . . data breach. Why else would hackers break
into a storeâs database and steal consumersâ private information?
Presumably, the purpose of the hack is, sooner or later, to make
fraudulent charges or assume those consumersâ identities.â).4 Thus,
we are much further along in the chain of inferences that one must
4 Some of the federal authorities we cite in this opinion address whether
there is injury in fact for purposes of standing under Article III of the United
States Constitution. That analysis may well be different than whether a legally
cognizable injury has been pled as a matter of Georgia tort law, but the
question here is similar enough that these federal cases are still useful.
16
draw in order to conclude that the plaintiffs here likely will suffer
identity theft.5
As explained above, showing injury as a result of the exposure
of data is easier in a case like this, where the data exposure occurs
as a result of an act by a criminal whose likely motivation is to sell
the data to others. But that easier showing of injury may well be
offset by a more difficult showing of breach of duty.6 Cf. Dept. of
Labor v. McConnell, 305 Ga. 812, 815-816(3) (a) (828 SE2d 352
)
(2019) (plaintiff failed to show that state agency owed him duty â
5 As the case proceeds beyond the motion to dismiss stage, the plaintiffs
will need to support their claim of injury with evidence about the extent to
which they face an imminent and substantial risk of identity theft. Moreover,
that risk may become either easier or more difficult to prove as time goes on
and the plaintiffs do or do not experience actual identity theft.
6 Proving that the plaintiffâs injuries were proximately caused by the
breach may also be more difficult. See Goldstein, Garber & Salama, 300 Ga. at
842-843(1) (trial court should have granted dental practiceâs motion for directed verdict, as practice could not have foreseen that independent contractor nurse anesthetist would molest plaintiff patient, and thus proximate causation could not be shown); see also Resnick v. AvMed, Inc.,693 F3d 1317, 1330-1332
(11th Cir. 2012) (William Pryor, J., dissenting) (arguing
that Florida law claims filed in federal court should have been dismissed under
applicable federal pleading standard, as plaintiffs failed to plead facts
rendering plausible their allegation that identity thieves obtained sensitive
information as a result of theft of defendantâs computers, as opposed to from a
third party).
17
under either OCGA § 10-1-393.8, OCGA § 10-1-910, or purported
common law duty âto all the world not to subject others to an
unreasonable risk of harmâ â to protect his personal information
from inadvertent, negligent disclosure (citation and punctuation
omitted)). This case is at the motion to dismiss stage, and the Court
of Appealsâs decision did not turn on this issue, so we leave it for
another day.7
3. The plaintiffsâ negligence claim should not have been
dismissed for failure to allege a cognizable injury.
Construing the plaintiffsâ allegations â particularly that
criminals are able to assume their identities fraudulently as a result
of the data breach and that the risk of such identity theft is
âimminent and substantialâ â in the light most favorable to the
plaintiffs, we cannot say that the plaintiffs will not be able to
introduce sufficient evidence of injury within the framework of the
7 We recognize that this case involves a fairly new kind of injury. As a
court, we discharge our duty to apply traditional tort law to that injury. But
that traditional tort law is a rather blunt instrument for resolving all of the
complex tradeoffs at issue in a case such as this, tradeoffs that may well be
better resolved by the legislative process.
18
complaint. The plaintiffs allege that their personal data has been
stolen on a mass scale by a criminal, who in turn has offered it for
sale to other criminals. They also allege that, as a result, criminals
are able to assume their identities and fraudulently obtain credit
cards, issue fraudulent checks, file tax refund returns, liquidate
bank accounts, and open new accounts in their names. These
allegations raise more than a mere specter of harm. See Attias v.
CareFirst, Inc., 865 F3d 620, 629 (D.C. Cir. 2017) (âNo long sequence
of uncertain contingencies involving multiple independent actors
has to occur before the plaintiffs in this case will suffer any harm; a
substantial risk of harm exists already, simply by virtue of the hack
and the nature of the data that the plaintiffs allege was taken.â).
These allegations are sufficient to survive a motion to dismiss the
plaintiffsâ negligence claims.
Our conclusion that dismissal of the negligence claims for lack
of injury is not warranted at this stage does not depend on the
plaintiffsâ allegations that the breach has caused them to spend
money attempting to mitigate the consequences of the breach by
19
avoiding actual identity theft. Although this may represent all or
some measure of the plaintiffsâ damages to date, their allegation
that the criminal theft of their personal data has left them at an
imminent and substantial risk of identity theft is sufficient at this
stage of the litigation.8
4. Our conclusion is consistent with recent federal decisions
applying Georgia law.
Recent persuasive federal district court decisions applying
Georgia law in similar cases are consistent with our conclusion that
the plaintiffs have pleaded a legally cognizable injury here. In
litigation arising from hackersâ theft of the credit cardholder
information of Arbyâs customers, a district court rejected the
defendantâs argument that the consumer plaintiffsâ negligence
8 Our conclusion also does not depend on the allegation that one named
plaintiff already has experienced identity theft. The Court of Appeals implicitly
rejected a negligence claim based on this allegation, citing a failure to allege
that the fraudulent charges were related to or caused by the data breach.
Collins, 347 Ga. App. at 18 (2) (a) n.5. And although the plaintiffs sought
review of this aspect of the Court of Appeals decision, we did not grant
certiorari on issues of causation, and we express no opinion on those issues.
We note, however, that the Clinicâs counsel acknowledged at oral argument
before this Court that âa general allegation of causation is usually sufficient to
carry the plaintiffâs burdenâ at the motion to dismiss stage.
20
claims should be dismissed because they had not suffered âany out-
of-pocket loss.â See In re Arbyâs Restaurant Group Inc. Litigation,
2018 WL 2128441, at *11 (Civil Action No. 1:17-cv-0514-AT, N.D. Ga., decided March 5, 2018). Although the plaintiffs had alleged unauthorized charges on their credit card accounts â i.e., actual identity theft â the court also pointed to alleged costs associated with detection and prevention of identity theft in concluding that the allegations of injury were sufficient.Id.
(âWhile Arbyâs is correct that
a plaintiff may not recover for injuries that are purely speculative,
such as the potential risk of future identity theft, Plaintiffsâ
Complaint alleges costs associated with actual data theft.â
(emphasis added)).9
In another federal case over theft of consumersâ personal data
9 The district court noted that the plaintiffsâ alleged monetary losses
meant that it did not need to consider whether the plaintiffsâ other alleged
injuries â for loss of use of funds and accounts, loss of productivity, time and
effort in remediating the breach, and inability to receive card rewards â were
cognizable under Georgia law. In re Arbyâs, 2018 WL 2128441, at *11 n.12. But, noting a lack of authority cited by the parties on that question, the court added its view that âa consumerâs time and effort to remediate the effects of a breach is not an abstract notion of actual damage and one that is susceptible to proof and valuation by a jury.âId.
We express no opinion on that issue.
21
by hackers, a district court also rejected the defendantsâ argument
that the plaintiffsâ Georgia tort claims failed because they had not
pleaded a legally cognizable injury. See In re Equifax, Inc., Customer
Data Security Breach Litigation, 362 FSupp.3d 1295, 1314-1317
(N.D. Ga. 2019). Again, although the plaintiffsâ allegations in that
case included allegations that some members of the class had
suffered actual identity theft, the district court also pointed to the
allegations about a risk of identity theft, as well as measures to
mitigate that risk, in concluding that the allegation of injury was
sufficient:
Plaintiffs here have alleged that they have been
harmed by having to take measures to combat the risk of
identity theft, by identity theft that has already occurred
to some members of the class, by expending time and
effort to monitor their credit and identity, and that they
all face a serious and imminent risk of fraud and identity
theft due to the Data Breach. These allegations of actual
injury are sufficient to support a claim for relief.
Id. at 1315.10
10 The district court in Equifax attempted to distinguish the Court of
Appealsâs decision here on the basis that here âthe plaintiffs alleged only an
âincreased risk of harmâ associated with taking precautionary measures,â
22
Although ultimately this Court is the final arbiter of the
meaning of Georgia law, the district courtsâ conclusions in these
cases are somewhat more persuasive because, although those cases
also came before district courts on motions to dismiss, they were
subject to the more stringent pleading standards governing federal
cases. Compare Ashcroft v. Iqbal, 556 U. S. 662, 679(129 SCt 1937
, 173 LE2d 868) (2009) (under federal law, legal conclusions recited in complaint âmust be supported by factual allegationsâ that âplausibly give rise to an entitlement to reliefâ), with Dillingham v. Doctors Clinic, P.A.,236 Ga. 302, 303
(223 SE2d 625
) (1976) (under
whereas the Equifax plaintiffs âalleged a substantial and imminent risk of
impending identity fraud due to the vast amount of information that was
obtained in the Data Breach.â 362 FSupp.3d at 1317 (citing Collins, 347 Ga.
App. at 18). The district court noted that the Equifax plaintiffs also had
âalleged that they have already incurred significant costs in response to the
Data Breachâ and many had âalso already suffered forms of identity theft.â Id.
This attempt to distinguish the Court of Appealsâs decision here is perplexing
and ultimately unconvincing, however. Although the Court of Appeals used the
phrase âincreased risk of harmâ to describe the plaintiffsâ allegations, Collins,
347 Ga. App. at 18 (2) (a), the plaintiffs here, like the Equifax plaintiffs, in fact
have pleaded an âimminent and substantial riskâ of identity theft. And the
district court in Equifax specifically relied on the sort of allegations of credit
monitoring made here in concluding that the plaintiffs had adequately pleaded
both that they had suffered an injury, 362 FSupp.3d at 1315, and that the
injury was proximately caused by the data breach, id. at 1318-1319.
23
Georgia law, complaint need only âgive the defendant fair notice of
what the claim is and a general indication of the type of litigation
involved; the discovery process bears the burden of filling in
detailsâ).
Because the Court of Appeals erred in concluding that the trial
court properly dismissed the plaintiffsâ negligence claims due to
failure to plead a legally cognizable injury, we reverse that holding.
Because that error may have affected the Court of Appealsâs other
holdings, we vacate those other holdings and remand the case.
Judgment reversed in part and vacated in part, and case
remanded. All the Justices concur.
24
DECIDED DECEMBER 23, 2019.
Certiorari to the Court of Appeals of Georgia â 347 Ga. App.
13.
David A. Bain; Goldman Scarlato & Penny, Mark S. Goldman,
Douglas J. Bench, for appellants.
Chilivis, Cochran, Larkins & Bever, John D. Dalbey, for
appellee.
25