McConnell v. Dep't of Labor

• Decision Date: 16 June 2016
• Docket Number: A16A0655
• Citation: 787 S.E.2d 794,337 Ga.App. 457
• Parties: McConnell et al. v. Department of Labor.
• Court: Georgia Court of Appeals

337 Ga.App. 457

787 S.E.2d 794

McConnell et al.

v.Department of Labor.

A16A0655

Court of Appeals of Georgia.

June 16, 2016

Jefferson Madden Allen, Scott Alan Schweber, Atlanta, Cohen, Cooper, Estep & Allen, for Appellant.

Samuel S. Olens, Atty. Gen., Kirsten Searle Daughdril, Sr. Asst. Atty. Gen., Atlanta, Angela Ellen Cusimano, Asst. Atty. Gen., for Appellee.

Ellington, Presiding Judge.

Thomas McConnell filed this class action against the Georgia Department of Labor, alleging several tort claims in connection with the Department's disclosure of personal information of McConnell and the proposed class members. After a hearing, the Superior Court of Cobb County granted the Department's motion to dismiss McConnell's complaint for failure to state a claim upon which relief can be granted. McConnell appeals, and for the reasons explained below, we affirm.

In ruling on a motion to dismiss, the trial court must accept as true all well-pled material allegations in the complaint and must resolve any doubts in favor of the plaintiff. As an appellate court, we review de novo a trial court's determination that a pleading fails to state a claim upon which relief can be granted, construing the pleadings in the light most favorable to the plaintiff and with any doubts resolved in the plaintiff's favor.

(Citations, punctuation, and footnote omitted.) Wright v. Waterberg Big Game Hunting Lodge Otjahewita (PTY), Ltd. , 330 Ga.App. 508, 509, 767 S.E.2d 513 (2014).

McConnell's amended complaint contained the following material allegations. In September 2012, the Department created a spreadsheet that listed the name, Social Security number, home phone number, email address, and age of over 4,000 Georgians who had applied for unemployment benefits or other services administered by the Department. McConnell was among the Georgians whose personal information was included in the spreadsheet. A year later, a Department employee sent the spreadsheet by email to approximately 1,000 of the Georgians on the list. To protect himself from the resulting risk of identity theft, McConnell enrolled in the “Life Lock” service, which currently costs $19 per month.

In January 2014, McConnell filed this class action, alleging claims, as amended, for negligence in disclosing “personal information” as defined under Georgia law, invasion of privacy (public disclosure of private facts), and breach of fiduciary duty. Under each theory of recovery, McConnell seeks damages, specifically, the fee for membership in Life Lock and other out-of-pocket costs related to credit monitoring and identity protection services, damages resulting from the impact to his credit score from the closing of accounts, and compensation for the continuing fear and anxiety of potential identity theft in the future. He does not allege that an act of identity theft has yet occurred.¹

The Department moved to dismiss McConnell's complaint, arguing, inter alia, pursuant to OCGA § 9–11–12 (b) (6), that the complaint failed to state a claim upon which relief can be granted. The trial court granted the Department's motion to dismiss, finding that each count failed to state a claim upon which relief can be granted.²

1. McConnell contends that the trial court erred in ruling that he failed to state a claim for negligent disclosure of personal information, based, inter alia, on its determination that as a matter of law “there is no legal duty [under Georgia law] to safeguard personal information.”

In order to have a viable negligence action, a plaintiff must satisfy the elements of the tort, namely, the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty. The legal duty is the obligation to conform to a standard of conduct under the law for the protection of others against unreasonable risks of harm. This legal obligation to the complaining party must be found, the observance of which would have averted or avoided the injury or damage; the innocence of the plaintiff is immaterial to the existence of the legal duty on the part of the defendant in that the plaintiff will not be entitled to recover unless the defendant did something that it should not have done, i.e., an action, or failed to do something that it should have done, i.e., an omission, pursuant to the duty owed the plaintiff under the law. The duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the caselaw. The existence of a legal duty is a question of law for the court.

(Citations and punctuation omitted.) Rasnick v. Krishna Hospital, Inc. , 289 Ga. 565, 566–567, 713 S.E.2d 835 (2011).³

McConnell acknowledges that a duty to safeguard and protect the personal information of another has not been expressly recognized in Georgia caselaw.⁴ McConnell contends that such a common law duty exists nonetheless, citing two statutory sources, OCGA §§ 10–1–393.8 and 10–1–910. In OCGA §§ 10–1–910, the General Assembly set out legislative findings underlying the Georgia Personal Identity Protection Act, OCGA §§ 10–1–910 through 10–1–915 (the “GPIPA”), enacted in 2005.⁵ In the GPIPA, the General Assembly found, inter alia, that “[t]he privacy and financial security of individuals is increasingly at risk, due to the ever more widespread collection of personal information by both the private and public sectors[,]” that “[i]dentity theft is one of the fastest growing crimes committed in this state[,]” and that “[i]dentity theft is costly to the marketplace and to consumers[.]” OCGA § 10–1–910 (1), (3), (6). Because “[v]ictims of identity theft must act quickly to minimize the damage [,] ... expeditious notification of unauthorized acquisition and possible misuse of a person's personal information is imperative.” OCGA § 10–1–910 (7). In line with these findings, the GPIPA requires that affected persons be given certain notice of a data breach.⁶ McConnell contends that in codifying these findings the General Assembly demonstrated its intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information. Notably, however, the GPIPA proscribes particular conduct only after a (known or suspected) data security breach has occurred. Because the GPIPA does not impose any standard of conduct in implementing and maintaining data security practices, it cannot serve as the source of a statutory duty to safeguard personal information. Wells Fargo Bank, N.A. v. Jenkins , 293 Ga. 162, 165, 744 S.E.2d 686 (2013).⁷

Similarly, we conclude that OCGA § 10–1–393.8, which is part of the Fair Business Practices Act of 1975 (the “FBPA”) as amended,⁸ can not serve as the source of such a statutory duty. That Code section provides that, except as otherwise provided, “a person, firm, or corporation shall not: ... [p]ublicly post or publicly display in any manner an individual's Social Security number.... ‘[P]ublicly post’ or ‘publicly display’ means to intentionally communicate or otherwise make available to the general public [.]” OCGA § 10–1–393.8. As the trial court noted in the appealed order, the FBPA expressly prohibits intentionally communicating a person's Social Security number, while McConnell alleges that the Department negligently disseminated his SSN by failing “to take the necessary precautions required to safeguard and protect the personal information from unauthorized disclosure.” Although the FBPA imposes a standard of conduct to refrain from intentionally and publicly posting or displaying SSNs,⁹ a legal duty to refrain from doing something intentionally is not equivalent to a duty to exercise a degree of care to avoid doing something unintentionally, which falls within the ambit of negligence. The trial court correctly concluded that McConnell's complaint is premised on a duty of care to safeguard personal information that has no source in Georgia statutory law or caselaw and that his complaint therefore failed to state a claim of negligence. Diamond v. Dept. of Transp. , 326 Ga.App. 189, 195–196, 756 S.E.2d 277 (2014).

Given the General Assembly's stated concern about the cost of identity theft to the marketplace and to consumers, as well as the fact that it created certain limited duties with regard to personal information (e.g., the duty to notify affected persons of data breaches and the duty not to intentionally communicate information such as SSNs to the general public), it may seem surprising that our legislature has so far not acted to establish a standard of conduct intended to protect the security of personal information, as some other jurisdictions have done in connection with data protection and data breach notification laws.¹⁰ It is beyond the scope of judicial authority, however, to move from aspirational statements of legislative policy to an affirmative legislative enactment sufficient to create a legal duty.¹¹

2. McConnell contends that the trial court erred in dismissing his breach of fiduciary duty claim for failure to state a claim upon which relief can be granted based on its determination that he had not shown that he had a particular relationship of trust or mutual confidence with the Department. “Establishing a claim for breach of fiduciary duty requires proof of three elements: (1) the existence of a fiduciary duty; (2) breach of that duty; and (3) damage proximately caused by the breach.” (Citation and punctuation omitted.) Wells Fargo Bank, N.A. v. Cook , 332 Ga.App. 834, 842, 775 S.E.2d 199 (2015).

Any relationship shall be deemed confidential, whether arising from nature, created by law, or resulting from contracts, where one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as

...