Collins v. Athens Orthopedic Clinic

• Decision Date: 27 June 2018
• Docket Number: A18A0296
• Citation: 815 S.E.2d 639,347 Ga.App. 13
• Court: Georgia Court of Appeals
• Parties: COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC.

347 Ga.App. 13

815 S.E.2d 639

COLLINS et al.

v.ATHENS ORTHOPEDIC CLINIC.

A18A0296

Court of Appeals of Georgia.

June 27, 2018

Reconsideration Denied July 16, 2018

Certiorari Granted April 29, 2019

David Andrew Bain, for Appellants.

Chivilis Cochran Larkins & Bever, John Durand Dalbey, Atlanta, for Appellee.

Ray, Judge.

After an anonymous hacker known as the "Dark Overlord" stole the personally identifiable information ("PII") of approximately 200,000 current and former Athens Orthopedic Clinic ("AOC") patients, Christine Collins, Paulette Moreland, and Kathryn Strickland (collectively, the "Plaintiffs") filed a putative class action. The trial court granted AOC's motion to dismiss, and Plaintiffs appealed, arguing that the trial court erred by implicitly finding that they failed to state a claim and lacked standing under Article III of the United States Constitution; and by relying on facts outside the four corners of the complaint. We affirm.

We review the grant of a motion to dismiss de novo, construing the factual allegations of the complaint in the light most favorable to the plaintiff. Radio Perry v. Cox Communications, Inc. , 323 Ga. App. 604, 605 (1), 746 S.E.2d 670 (2013). The complaint should be dismissed only if its allegations demonstrate with certainty that the claimants "would not be entitled to relief under any state of provable facts asserted in support thereof; and ... the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought." (Citation and punctuation omitted.) Id.

Plaintiffs allege that the hack took place and was discovered by AOC in June 2016, and that AOC notified them of the breach in August 2016. The Dark Overlord apparently gained access to the PII database by using a third-party vendor's log-in credentials, and when AOC refused to pay a ransom for the information, the Dark Overlord offered some of it for sale on the "Dark Web,"¹ and made some of it at least temporarily available on Pastebin, a data-storage website designed to facilitate the sharing of large amounts of data online.

Plaintiffs allege that the data breach exposes them to the threat of identity theft and other harm. All three Plaintiffs were notified that their information had been compromised and spent time placing fraud or credit alerts on their credit reports. Only Collins had fraudulent charges made on her credit card and spent time getting them reversed.²

On January 20, 2017, Plaintiffs filed a putative class action alleging violation of the Georgia Uniform Deceptive Trade Practices Act ( OCGA § 10-1-370 et seq. ), breach of implied contract, unjust enrichment, and negligence. Plaintiffs also seek a declaratory judgment and attorney fees. They seek reimbursement for costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts, as well as injunctive relief.

On June 26, 2017, the trial court granted AOC's motion to dismiss. The order states, in its entirety:

Before the Court is Defendant [AOC's] motion to dismiss pursuant to OCGA § 9-11-12, which Motion having come on for a hearing on June 14, 2017. Having considered the oral arguments of counsel, the briefs of Plaintiffs and Defendant and all pleadings, but having considered no matters outside the pleadings, it is hereby ORDERED that the Motion to Dismiss is GRANTED.

1. Plaintiffs argue that the trial court erred in considering matters outside the complaint. They point, inter alia, to questions the trial court asked during the hearing on the motion to dismiss. Where matters outside the pleadings are presented, "a further determination has to be made as to whether the trial court excluded them. If the trial court excluded such matters, then the motion is for dismissal. If the trial court considered such matters, then the motion is for summary judgment." (Citation omitted.) Thompson v. Avion Systems, Inc ., 284 Ga. 15, 16-17, 663 S.E.2d 236 (2008). Here, the trial court's order expressly stated that it "considered no matters outside the pleadings[.]" We find no error.

2. Plaintiffs argue, generally, that the trial court erred in dismissing their complaint by implicitly finding that they failed to state a claim and lacked standing under Article III.

(a) Negligence claim . To state a cause of action for negligence in Georgia, the Plaintiffs must show:

(1) A legal duty to conform to a standard of conduct raised by the law for the protection of others against unreasonable risks of harm; (2) a breach of this standard; (3) a legally attributable causal connection between the conduct and the resulting injury; and, (4) some loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty ... It is well-established Georgia law that before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.

(Citation and punctuation omitted.) Whitehead v. Cuffie , 185 Ga. App. 351, 352-353 (2), 364 S.E.2d 87 (1987). The complaint alleges that

[a]s a direct and proximate result of [AOC's] negligence, Plaintiffs and other Class Members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts over the course of a lifetime.

While we never have addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage" pursuant to Whitehead , supra, some Georgia cases offer guidance.

In Finnerty v. State Bank and Trust Co. , 301 Ga. App. 569, 687 S.E.2d 842 (2009), disapproved on other grounds by Cumberland Contractors, Inc. v. State Bank and Trust Co. , 327 Ga. App. 121, 125 (2), n. 4, 755 S.E.2d 511 (2014), Finnerty, a signatory on a promissory note, counterclaimed against a bank suing him for default. He alleged invasion of privacy and negligence because the bank disclosed his Social Security number in the complaint. Id. at 569, 687 S.E.2d 842. Finnerty argued that he "suffered ‘an increased risk of identity theft’ " and that " ‘non-authorized third parties have access to the otherwise confidential personal information[.]’ " Id. at 572 (4), 687 S.E.2d 842. We affirmed the trial court's grant of summary judgment to the bank, finding that "[a] fear of future damages is too speculative to form the basis for recovery." Id. This Court found that Finnerty "failed to demonstrate that the [b]ank's purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information[.]" Id.

The instant case differs in that Plaintiffs alleged that the "Dark Overlord" had accessed their PII, offered to sell it on the Dark Web, and placed it, at least temporarily, on Pastebin. However, as OCGA § 51-12-8 provides, "[i]f the damage incurred by the plaintiff is only the ... possible result of a tortious act ... such damage is too remote to be the basis of recovery against the wrongdoer." See generally Rite Aid of Ga. v. Peacock , 315 Ga. App. 573, 576 (1) (a) (i), 726 S.E.2d 577 (2012) (in appeal of case alleging, inter alia, breach of contract and unjust enrichment, this Court pretermitted whether the sale of the plaintiff's personal medication information was illegal and reversed class certification, finding a lack of commonality in that "although [plaintiff] felt that the sale of his prescription information to Walgreens was illegal, he could not say that he had suffered any actual financial or physical injury ....)" (punctuation omitted; emphasis in original).

While Finnerty and Rite Aid are factually and procedurally distinct from the present case in that they did not involve motions to dismiss and did not feature theft of PII, they nonetheless suggest that the fact of compromised data is not a compensable injury by itself in the absence of some "loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty[.]" (Citation and punctuation omitted.) Whitehead , supra at 352 (2), 364 S.E.2d 87 .

Further, the instant factual scenario finds a fitting analogue in the context of other torts. In Boyd v. Orkin Exterminating Co. , 191 Ga. App. 38, 40-41 (1), (2), 381 S.E.2d 295 (1989), overruled on other grounds by Hanna v. McWilliams , 213 Ga. App. 648, 651 (2) (b), 446 S.E.2d 741 (1994), the plaintiffs sued Orkin for the negligent application of insecticide in their home. The trial court found that the plaintiffs’ children's claims were barred to the extent that they sought damages for the "increased risk of cancer

" to which they had been exposed. In affirming the grant of summary judgment, we explained:

Even assuming arguendo that there was sufficient evidence before the jury to support a finding that Orkin had been negligent in its application of pesticides to the Boyds’ home, there was no evidence that the appellants had sustained any specific injury.... The results of organ function tests conducted on the children were all within normal range.... [Further,] [w ]e reject the appellants’ contention that the jury could have assessed damages against Orkin based on expert testimony that the presence of elevated levels of the heptachlor metabolite in the children's blood itself constituted "injury." Absent any indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind , this testimony must be considered insufficient to support an award of actual damages in any amount.

(Punctuation omitted; emphasis supplied.) Id. at 40 (1), 381 S.E.2d 295. In both Boyd and the case before us, the...