Tuesday, December 08, 2020

Georgia "data breach as unfair trade practice" claim fails

Collins v. Athens Orthopedic Clinic, 849 S.E.2d 213, A18A0296 (Ga. Ct. App. 2020)

Former and current patients filed a putative class action against the Athens Orthopedic Clinic for negligence, breach of implied contract, unjust enrichment, attorney fees, injunctive relief under Georgia’s Uniform Deceptive Trade Practices Act (UDTPA), and declaratory judgment stemming from a data breach of their personal information. An anonymous hacker stole the personally identifiable information, including social security numbers, birthdates, addresses, and health insurance information, of approximately 200,000 current and former Clinic patients. The hacker demanded ransom, but the Clinic refused to pay, and the hacker sold the information on the “dark web.”

The trial court dismissed all claims, but the Georgia Supreme Court ultimately held that the allegations in the complaint sufficiently stated a claim for negligence that was not merely speculative and remanded to reconsider the remaining claims in light of that ruling. On remand, the court of appeals affirmed the dismissal of the unjust enrichment, declaratory relief, and UDTPA claims.

The Georgia UDTPA allows only prospective relief, but not redress for past harm. Thus, standing requires likely future damage by an unfair trade practice.  Here, “an injunction would serve no purpose at this point because, as alleged, their personal information was already sold and is available on the dark web. As such, the plaintiffs have failed to allege a future harm caused by the unfair practice, as required by the UDTPA, and the trial court properly dismissed this claim.”

The Chief Judge would have reached the same result on the UDTPA but for a different reason: there was no alleged deceptive trade practice. Athens Orthopedic allegedly violated the Act by failing to inform the plaintiffs that it did not have adequate computer systems and data security practices, but there was no allegation that it knew of the inadequacy, so there was no false advertising.

No comments: