The Supreme Court of Georgia will consider whether a data breach victim must suffer actual financial loss before he or she can sue for damages.
In June 2016, Athens, Georgia-based Athens Orthopedic Clinic suffered a data breach. A cyber attacker by the name “Dark Overlord” hacked into its database. The attacker was able to steal the names, addresses, dates of birth, telephone numbers, Social Security numbers, and health insurance details of 200,000 current and former patients. Athens Orthopedic advised its clients to place fraud alerts on their credit accounts but did not provide identity theft monitoring services.
When a data breach happens, the individuals who have had their information stolen are vulnerable to fraud and identity theft. There is little that the victims can do aside from buying identity theft protection, freezing their credit, and monitoring their credit.
But what about the organizations that allowed the individual’s data to be stolen? Should they be held responsible? Some victims have joined together in class-action lawsuits and sued these organizations for negligence.
Some U.S. District Courts have allowed data breach lawsuits against Home Depot, Target, Anthem, and Equifax to proceed. Other courts have dismissed similar lawsuits because the victims could not show that they had been harmed by that particular breach.
Up until now, courts in Georgia have ruled that victims cannot recover damages if they could not show injury. Now, the Supreme Court of Georgia will address this question.
Three of the identity theft victims sued Athens Orthopedic for negligence and breach of implied contract. They wanted compensation for the fees already paid, and future fees, for credit monitoring and identity theft protection services.
The court dismissed the lawsuit in June 2017, and the Georgia Court of Appeals ruled 2-1 that “costs of prophylactic measures” were “not recoverable damages.”
On August 20, 2019, the Georgia Supreme Court heard oral arguments on this issue. The court is expected to return a decision within six months.
With data breach being so prevalent, it would seem prudent to go back to the old system that cannot be breached, or a very limited ability to be breached, which is the old, reliable paper charting system. If any company can be breached, eg, Equifax, who their claim to fame is protection of our data, then anyone can be breached. It’s just a matter of time for any business connected to the Internet to be breached.