Not all personal injury claims involve physical acts. For example, if someone steals your private data, that can provide the basis for a personal injury lawsuit. Courts throughout the country have struggled, however, to define the precise threshold when a “legally cognizable” injury occurs. Does someone actually need to use the data obtained via hacking or other illicit means before you can bring a claim? Or does the mere fact that theft has occurred allow you to sue the person whom you trusted to keep the data secure in the first place?
Collins v. Athens Orthopedic Clinic, PA
A recent decision from the Supreme Court of Georgia, Collins v. Athens Orthopedic Clinic, PA, attempts to provide some answers to these questions. This case involves a June 2016 data breach in which an unknown attacker “stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients” of the defendant, an Athens-based healthcare provider. A number of patients whose data was compromised by this breach subsequently filed a lawsuit in Georgia state court, alleging the defendant refused to meet the attacker’s ransom demand, and as a result the hacker put “some of the stolen personal data” up for sale.
The plaintiffs sought to certify a class action on behalf of themselves and all other victims of the data breach. The complaint explained that the named plaintiffs had already been forced to take several actions in response to the breach, such as placing a “fraud or credit alert” on their credit reports, and in some cases dealing with actual fraudulent charges to their credit cards. The complaint went on to allege that even class members who “have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.”
Both the trial judge and later the Georgia Court of Appeals dismissed the complaint, holding that the plaintiffs failed to present a plausible claim for negligence under state law. The mere fact that some plaintiffs had taken steps to protect their credit after the breach was not, in the lower courts’ views, sufficient proof of a “legally cognizable” injury.
The Supreme Court disagreed. It held that at this stage of the litigation–a defense motion to dismiss the complaint before the case could even proceed to discovery–the plaintiffs had sufficiently alleged a legal injury. Specifically, the plaintiffs alleged that “criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’” This was more than mere speculation. Rather, it was a “factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach.” The Supreme Court went on to note that this type of data breach, where criminal attackers obtained the information for the express purpose of making money, was different than a situation where personal information was simply “exposed” without direct proof the data had “actually fallen into criminal hands.”