The Georgia Supreme Court recently issued a decision holding that there is no duty to safeguard personal information from a data breach under Georgia law. Georgia Department of Labor v. McConnell involved the accidental disclosure of a spreadsheet that contained the name, social security number, home telephone number, email address, and age of thousands of individuals who had applied for unemployment benefits or other services offered by the Department of Labor. Case No. S18G1316, slip op. at 2 (Ga. May 20, 2019). The plaintiff, whose information was among that which was disclosed, filed a putative class action against the Department of Labor, alleging claims for negligence, breach of fiduciary duty, and invasion of privacy.
The trial court dismissed the plaintiff’s complaint, ruling that sovereign immunity barred the claims and that, even if the claims were permissible, the plaintiff’s complaint failed to state a claim to relief. The Court of Appeals affirmed, addressing only whether the complaint failed to state a claim. See McConnell v. Dep’t of Labor, 337 Ga. App. 457 (2016). The Georgia Supreme Court granted the plaintiff’s petition for certiorari and subsequently reversed, concluding that the Court of Appeals erred by failing to first address whether sovereign immunity barred the plaintiff’s claims. See McConnell v. Dep’t of Labor, 302 Ga. 18 (2017). The Court of Appeals then concluded that, although sovereign immunity did not bar the plaintiff’s claims, the plaintiff’s complaint failed to state a claim for relief. See McConnell v. Dep’t of Labor, 345 Ga. App. 669 (2018).
In an opinion issued May 20, 2019, the Supreme Court affirmed the Court of Appeals opinion in its entirety. After concluding that sovereign immunity did not preclude the plaintiff’s claims, the Supreme Court analyzed whether each of the three claims the plaintiff brought – negligence, breach of fiduciary duty, and invasion of privacy – were viable. The Supreme Court first addressed the negligence claim and concluded that it was not viable because the plaintiff had not adequately alleged that the Department of Labor owed a duty to safeguard the personal information of those who applied for benefits. The plaintiff had argued that Georgia recognized a “common law duty ‘to all the world not to subject others to an unreasonable risk of harm.’” McConnell, slip op. at 9 (quoting Bradley Center, Inc. v. Wessner, 250 Ga. 199, 201 (1982)). But the Supreme Court rejected this argument, holding that “the language in Bradley Center on which McConnell relies was not a holding concurred in by a majority of this Court, was not supported by the only authority that the lead opinion cited, was not a correct statement of the law, did not control the result in that case (which was based on a ‘special relationship’ between the plaintiff and defendant), and has never been endorsed in a decision of this Court that qualifies as precedent.” Id., slip op. at 9-10.
The Court also rejected the plaintiff’s attempt to argue that a duty was created by two Georgia statutes, O.C.G.A. §§ 10-1-910 (Georgia’s identity theft statute) and 10-1-393.8 (the Georgia statute that restricts disclosure of social security numbers). The Court concluded that the identity theft statute “does not explicitly establish any duty, nor does it prohibit or require any conduct act all.” McConnell, slip op. at 10. And the statute that restricts the disclosure of social security numbers applies only to intentional disclosures, not negligent disclosures like the one alleged in the complaint. Id., slip op. at 11.
The Court then analyzed the breach of fiduciary duty claim. It rejected the plaintiff’s argument that the Trustee Clause of the Georgia Constitution, which states that “[p]ublic officers are the trustees and servants of the people and are at all times amenable to them,” created a fiduciary duty because “[t]he complaint did not allege that any public officer was reaping personal financial gain at the expense of the public, so the Trustee Clause is inapplicable.” Id., slip op. at 12-13 (internal quotation marks and citation omitted). The Court further held that there was no special relationship of confidence between the plaintiff and the department to give rise to a fiduciary duty because “the complaint alleged merely that the Department, as the gatekeeper to unemployment benefits, required McConnell and the others to provide personal information in order to receive benefits,” and that conduct “is common between citizens and government agencies and is insufficient to show a fiduciary relationship.” Id., slip op. at 14.
Finally, the Court concluded that the plaintiff’s third cause of action – invasion of privacy – also was not viable. The court reasoned that any potential claim for invasion of privacy would constitute the tort of public disclosure of embarrassing facts, but that the complaint did not state a claim for that tort because “the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department.” Id., slip op. at 15. In reaching this conclusion, the Court relied on precedent stating that, with respect to the tort of public disclosure of embarrassing facts, “‘[t]he interest protected is that of reputation,’” and the information that the plaintiff’s complaint alleged was disclosed “does not normally affect a person’s reputation.” Id. (quoting Cottrell v. Smith, 299 Ga. 517, 532-33 (2016)). Thus, because none of the plaintiff’s three claims was viable, the Supreme Court concluded that the Court of Appeals did not err in affirming the trial court’s dismissal of the Complaint.
This decision has potentially significant implications on plaintiffs’ attempts to certify nationwide class actions against retailers who are victims of a data breach based on a negligence theory. It illustrates that the law of negligence is not uniform across all jurisdictions, which will make attempts to certify a nationwide class in data breach cases difficult or impossible.