On January 28, 2019, Judge Thomas W. Thrash of the United States District Court of the Northern District of Georgia issued orders on the Motions to Dismiss brought by Equifax in the wake of “one of the largest data breaches in history” and ensuing multidistrict litigation. Although Judge Thrash dismissed a number of claims based on the failure to allege “concrete and particularized harm” sufficient to confer standing, most of the putative class claims were allowed to move to the next stage of litigation. Specifically, the claims of certain consumers whose information was obtained in the breach and allegedly misused, along with the claims of certain credit card issuers that incurred costs related to re‐issuing compromised cards as a result breach, will now move forward.
A recent Georgia Court of Appeals decision, currently on certiorari review before the Georgia Supreme Court, found no general duty to safeguard personal information under Georgia law. McConnell v. Ga. Dep’t of Labor, 345 Ga. App. 669, 678 (2018), petitions for cert. granted (Ga. S. Ct. Nov. 15, 2018). In Equifax, Judge Thrash distinguished that decision and found a duty of care arising “from the allegations that the Defendants knew of a foreseeable risk to the data security systems of Equifax but failed to implement reasonable security measures.” Judge Thrash also found allegations of damages in the form of “significant costs in response to the Data Breach” along with allegations of some identity theft and allegations of “substantial and imminent risk of impending identity fraud due to the vast amount of information that was obtained” sufficient to survive a motion to dismiss for lack of damages. Judge Thrash predicted that the Georgia Court of Appeals’ decision in McConnell will be overturned, stating: “it seems unlikely to me that the Georgia Supreme Court will adopt a rule of law that tells hundreds of millions of consumers in the United States that a national credit reporting agency headquartered in Georgia has no obligation to protect their confidential personal identifying data.”
The Equifax decisions highlight the uncertain risks companies face when courts apply traditional common law principles to the dynamic and rapidly changing rules surrounding data breaches. Such decisions also highlight the potential “bet‐the-company” stakes of litigation regarding data privacy and security. Applying the rationale supporting the Equifax rulings, if a data breach is reasonably foreseeable and a company has notice that its IT systems have security vulnerabilities, affected parties may pursue claims for negligence, negligent misrepresentation, or other torts in the United States District Court for the Northern District of Georgia.
* * *
Among other specialties, Parker Hudson defends clients in litigation flowing from data breach incidents, litigates associated insurance coverage disputes, and consults on a number of data privacy and security issues. At Parker Hudson, we keep our fingers on the pulse of evolving legal standards and new developments in data privacy and data breach litigation. Partner Scott Zweigel holds the gold standard privacy certification of Certified Industry Privacy Professional/United States. Please contact Scott Zweigel to let us help you address the evolving data privacy and security standards or to represent you in the wake of a data breach.