COLLINS et al.
ATHENS ORTHOPEDIC CLINIC, P.A.
Court, Clarke County, G. Grant Brantley, Judge
A. Bain ; Goldman Scarlato & Penny, Mark S. Goldman, Douglas
J. Bench, for appellants.
Chilivis, Cochran, Larkins & Bever, John D. Dalbey, for
Judges: PETERSON, Justice. All the Justices concur.
criminal steals consumers' sensitive personal data, what
do those consumers have to plead against the allegedly
negligent business from whom the data was stolen to show a
legally cognizable injury under Georgia tort law? The Court
of Appeals has held in cases involving the exposure of
personal information that the failure to show that the
information had actually fallen into criminal hands, let
alone that the information was used to the consumers'
detriment,[307 Ga. 556] meant that plaintiffs had failed to
show a legally cognizable injury. But this case, which was
dismissed on the pleadings despite allegations of large-scale
criminal activity, falls into a different category of
data-exposure cases. The plaintiffs here, current or former
patients of the defendant medical clinic, brought a putative
class action after the clinic informed them that a hacker had
stolen their personal data from the clinic. We conclude that
the injury the plaintiffs allege that they have suffered is
legally cognizable. Because the Court of Appeals held
otherwise in affirming dismissal of the plaintiffs'
negligence claims, we reverse that holding. Because that
error may have affected the Court of Appeals's other
holdings, we vacate those other holdings and remand the case.
complaint, verified by each of the named plaintiffs, alleges
that in June 2016 an anonymous hacker stole the personally
identifiable information, including social security numbers,
addresses, birth dates, and health insurance details, of at
least 200,000 current or former patients of Athens Orthopedic
Clinic ("the Clinic") from the Clinic's
computer databases. Those current or former patients included
named plaintiffs Christine Collins, Paulette Moreland, and
Kathryn Strickland. According to the allegations contained in
the complaint, the hacker demanded a ransom, but the Clinic
refused to pay. The hacker offered at least some of the
stolen personal data for sale on the so-called “ dark
web,” and some of the information was made available,
at least temporarily, on Pastebin, a data-storage website.
The Clinic notified the plaintiffs of the breach in August
plaintiffs allege that because their personal data has been
“ compromised and made
available to others on the dark web, criminals are now able
to assume Class Members' identit[ies] and fraudulently
obtain credit cards, issue fraudulent checks, file tax refund
returns, liquidate bank accounts, and open new accounts, all
in Class Members' names.” Each named plaintiff
alleges that she has “ spent time calling a credit
reporting agency and placing a fraud or credit alert on her
credit report to try to contain the impact of the data breach
and anticipates having to spend more time and money in the
future on similar activities.” Collins also alleges
that fraudulent charges to her credit card were made “
[s]hortly” after the data breach and that she spent
time getting the charges reversed by the card issuer. And the
complaint alleges that “ [e]ven Class Members who have
not yet experienced identity theft or are not yet aware of it
nevertheless face the imminent and substantial risk of future
their suit against the Clinic, the plaintiffs sought class
certification and asserted claims for negligence, breach of
implied contract, and unjust enrichment. They sought damages
based on[307 Ga. 557] costs related to credit monitoring and
identity theft protection, as well as attorneys' fees.
They also sought injunctive relief under the Georgia
Uniform Deceptive Trade Practices Act, OCGA �
10-1-370 et seq. (“ UDTPA” ), and a declaratory
judgment to the effect that the Clinic must take certain
actions to ensure the security of class members' personal
data in the future. The Clinic filed a motion to dismiss
based on both OCGA � 9-11-12 (b) (1) and OCGA � 9-11-12 (b)
(6), which the trial court granted summarily.
divided panel of the Court of Appeals affirmed. See
Collins v. Athens Orthopedic Clinic,347 Ga.App. 13
(815 S.E.2d 639) (2018). The Court of Appeals concluded that
the plaintiffs' negligence claim was properly dismissed
because the plaintiffs “ seek only to recover for an
increased risk of harm.” Id. at 18 (2) (a) .
The majority concluded that although the credit monitoring
and other precautionary measures alleged by the plaintiffs
were “ undoubtedly prudent,” they were “
designed to ward ...