The Georgia Supreme Court may weigh in on the hot issue plaguing data breach class action litigation across the nation, must a data breach victim suffer actual financial loss to recover damages, or is the threat of future harm enough? On August 20, the Georgia Supreme Court heard arguments in a class action suit stemming from a data breach in September 2017 at Athens Orthopedic, exposing 200,000 of its current and former patients’ personal information including names, addresses, social security numbers, dates of birth and telephone numbers. Upon discovery of the breach, Athens Orthopedic advised patients to place fraud alerts on their credit accounts and seek other advice.
In 2018, the Georgia Court of Appeals, in a 2-1 decision, ruled that because the plaintiffs did not suffer any actual financial loss or harm, they were not entitled to recover damages for potential or future harm. The class action suit alleged that some of hacked information was offered for sale on the dark web, and some information was temporarily made available on a data storage site. Plaintiffs argued that costs such as identity theft protection, credit monitoring, and costs associated with credit freeze, which they purchased are “classic measures of consequential damages” because they are incurred to mitigated “foreseeable” damages. The Court of Appeals rejected this argument, highlighting that “mitigation damages lessen the severity of an injury that has already taken place; if no injury occurred, there is no legally cognizable harm to mitigate”.
The Georgia Supreme Court is certainly not the first court in the nation to address this issue. Federal circuit courts over the past few years have struggled with this issue, in large part due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury. For example, the 3rd, 6th, 7th, 9th and D.C. circuits have generally found standing, while the 1st, 2nd, 4th and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”.
Most recently, the U.S. Supreme Court rejected a petition for a writ of certiorari by Zappos requesting the Court to review a Ninth Circuit Court decision which allowed customers affected by a data breach to proceed with a lawsuit on grounds of vulnerability to fraud and identity theft. The Supreme Court did not provide a reason for its denial of the Zappos petition.
The Georgia Supreme Court is expected to issue its ruling in Athens Orthopedic in the coming months. The lack of clarity on this issue has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach. It is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.