In McConnell v. Georgia Dep’t of Labor, 345 Ga. App. 669, 679 (2018), the Georgia Court of Appeals recognized that “a duty of care to safeguard personal information . . . has no source in Georgia statutory law or caselaw.” On Monday, May 20, 2019, the Georgia Supreme Court affirmed the decision of the Court of Appeals. See Georgia Dep’t of Labor v. McConnell, Case Nos. S18G1316, S18G1317, 2019 WL 2167323 (Ga. May 20, 2019). The most-recent McConnell decision is likely to greatly impact data breach litigation in Georgia for the foreseeable future.

The McConnell case has a long history that now involves two decisions from the Georgia Court of Appeals and two from the Supreme Court of Georgia. It arose following the inadvertent disclosure of certain personal information (names, social security numbers, phone numbers, addresses) of 4,757 individuals “who applied for unemployment benefits or other services administered by the” Georgia Department of Labor. Id. at *1. Mr. McConnell, whose personal information was disclosed, purchased a subscription to an identity protection and credit monitoring service and incurred other out-of-pocket costs. He then filed a putative class action against the Department of Labor alleging negligence, invasion of privacy, and breach of fiduciary duty. The Department moved to dismiss arguing, among other things, that it violated no duty recognized by Georgia law. The trial court granted the Department’s motion to dismiss, and the Georgia Supreme Court has now affirmed that dismissal.

In analyzing whether a general duty to safeguard personal information exists under Georgia law, and in concluding that it does not, the Georgia Supreme Court found that McConnell failed to show “that the Department owed him or other proposed class members a duty to protect their information against negligent disclosure.” Lawyers for companies faced with negligence claims following a cyber incident have, in recent years, made this “lack of duty” argument with varying degrees of success. This week’s McConnell decision makes clear that neither Georgia common law nor Georgia statutes provide a basis for a general duty to safeguard personal information.  

The Court did not weigh-in on issues related to damages or other thorny issues that courts across the country are wrestling with (including courts in Georgia (see Collins v. Athens Orthopedic Clinic, Georgia Supreme Court Case No. S19G0007)), but in affirming the lack of a general duty to safeguard information in Georgia, the Georgia Supreme Court placed the ball squarely in the Georgia legislature’s court to define a general cyber data protection duty if it so chooses.

*     *     *

Among other specialties, Parker Hudson defends clients in litigation flowing from data breach incidents, litigates associated insurance coverage disputes, and consults on a number of data privacy and security issues. At Parker Hudson, we keep our fingers on the pulse of evolving legal standards and new developments in data privacy and data breach litigation. Partner Scott Zweigel holds the gold standard privacy certification of Certified Industry Privacy Professional/United States and, along with Partner Bill Holley, has successfully defended cyber breach putative class action litigation. Please contact Scott Zweigel to let us help you address the evolving data privacy and security standards or Bill Holley and Scott Zweigel to represent you in the wake of a data breach.