Implications Beyond Georgia

The Georgia Supreme Court is just the last in a long line of courts that have grappled with the question of whether data breach victims can sue before their data is fraudulently used. The U.S. Supreme Court held in Spokeo v Robins that plaintiffs must demonstrate that an “injury in fact” has occurred, but did not clarify whether “risk of future harm” qualified as an injury.

The U.S. Court of Appeals for the Seventh Circuit said in Lewert v PF Chang’s China Bistro that ”all class members should be allowed to show that they spent time and resources tracking down possible fraud, changing automatic charges, and replacing cards as a prophylactic measure.” The U.S. Court of Appeals for the District of Columbia, Third Circuit, Sixth Circuit, and Ninth Circuit have ruled similarly.

The U.S. Court of Appeals for the Fourth Circuit held in Beck v McDonald that plaintiffs “failed to establish a non-speculative, imminent injury-in-fact.” The U.S. Court of Appeals for the Second Circuit, First Circuit and Eighth Circuit have ruled similarly.

How the Georgia Supreme Court decides this case will have broad implications, not just within Georgia, but for other data breach victims elsewhere. The plaintiffs argued during the oral arguments that with increasing number of data breaches, future victims need to know what exactly what their legal rights are, if any, and how they can go about protecting those rights.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” the plaintiffs’ attorneys argued in their brief.

If the victims cannot hold the breached entity accountable, the attorneys argue, nothing changes. “It [Athens Orthopedic] continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information,” the attorneys said.

From the breached entity’s standpoint, it is difficult to show that a data breach is directly responsible for the fraudulent charges on the credit card. And ironically, the fact that there are so many data breaches makes it even harder to be able to pinpoint which incident led to fraud. There may also be an expectation that most people already have some kind of identity theft protection, again, because there have been so many breaches already.

The fact that there is confusion on whether data breach victims have to prove actual fraud in order to bring a class-action lawsuit affects enterprise risk assessment and breach response planning, too. Enterprises can’t assess whether they have all the pieces in place to respond effectively in case of a data breach if they can’t properly assess the associated costs of a lawsuit.

The Georgia Supreme Court is expected to return a decision within six months, but it definitely won’t be the final word on the matter. Data breach victims and breached organizations will continue to battle the question in courts for years to come.