Commentary: What Constitutes Negligence in Company Data Breaches?

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.