The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such a duty, the plaintiff in McConnell relied on the Georgia Personal Identity Protection Act (the “GPIPA”). The plaintiff argued that the GPIPA supported recognizing a duty to safeguard PII because the statute reflects the General Assembly’s “intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information.” McConnell, 2018 WL 2173252.
The Court of Appeals rejected this argument. It noted that “despite the General Assembly’s aspirational recognition of the harm caused by identity theft, the GPIPA does not proscribe any conduct in storing data or protecting data security. Rather, the GPIPA proscribes particular conduct, that is, notification and the placement of a security freeze, only after a (known or suspected) data security breach has occurred.” Id. (emphasis in original). The Court of Appeals then concluded that “[b]ecuase the GPIPA does not impose any standard of conduct in implementing and maintaining data security practices, . . . it can not [sic] serve as the source of a general duty to safeguard personal information.” Id.
The Court of Appeals also held that the Fair Business Practices Act of 1975 (the “FBPA”) also does not support the existence of such a duty. The court reasoned that while “the FBPA expressly prohibits intentionally communicating a person’s social security number,” that does not mean that there is “a duty to exercise a degree of care to avoid doing something unintentionally, which falls within the ambit of negligence.” Id. (emphasis in original). Thus, the Court of Appeals held, “[t]he trial court correctly concluded that McConnell’s complaint is premised on a duty of care to safeguard personal information that has no source in Georgia statutory law or caselaw” and that it failed to state a claim for negligence. Id.
This ruling has significant implications on privacy litigation in Georgia because it reaffirms the Court of Appeals’ prior holding that there is no duty to safeguard personal information under Georgia law. See McConnell v. Ga. Dep’t of Labor, 337 Ga. App. 457, 459-63 (2016), rev’d in part on other grounds, 302 Ga. 18 (2017). In light of this holding, plaintiffs seeking to hold victims of a data breach liable for negligence for failing to safeguard the information that was stolen in the breach will likely have a difficult time getting past a motion to dismiss.