Opinion
A18A0296
06-27-2018
COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC.
David Andrew Bain, for Appellants. Chivilis Cochran Larkins & Bever, John Durand Dalbey, Atlanta, for Appellee.
David Andrew Bain, for Appellants.
Chivilis Cochran Larkins & Bever, John Durand Dalbey, Atlanta, for Appellee.
Ray, Judge.
After an anonymous hacker known as the "Dark Overlord" stole the personally identifiable information ("PII") of approximately 200,000 current and former Athens Orthopedic Clinic ("AOC") patients, Christine Collins, Paulette Moreland, and Kathryn Strickland (collectively, the "Plaintiffs") filed a putative class action. The trial court granted AOC's motion to dismiss, and Plaintiffs appealed, arguing that the trial court erred by implicitly finding that they failed to state a claim and lacked standing under Article III of the United States Constitution; and by relying on facts outside the four corners of the complaint. We affirm.
We review the grant of a motion to dismiss de novo, construing the factual allegations of the complaint in the light most favorable to the plaintiff. Radio Perry v. Cox Communications, Inc. , 323 Ga. App. 604, 605 (1), 746 S.E.2d 670 (2013). The complaint should be dismissed only if its allegations demonstrate with certainty that the claimants "would not be entitled to relief under any state of provable facts asserted in support thereof; and ... the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought." (Citation and punctuation omitted.) Id.
Plaintiffs allege that the hack took place and was discovered by AOC in June 2016, and that AOC notified them of the breach in August 2016. The Dark Overlord apparently gained access to the PII database by using a third-party vendor's log-in credentials, and when AOC refused to pay a ransom for the information, the Dark Overlord offered some of it for sale on the "Dark Web," and made some of it at least temporarily available on Pastebin, a data-storage website designed to facilitate the sharing of large amounts of data online.
The "Dark Web" refers broadly to the part of the World Wide Web that is only accessible by special software, allowing users to remain anonymous. See "Dark web" Wikipedia, https://en.wikipedia.org/wiki/Dark_web (accessed May 7, 2018).
Plaintiffs allege that the data breach exposes them to the threat of identity theft and other harm. All three Plaintiffs were notified that their information had been compromised and spent time placing fraud or credit alerts on their credit reports. Only Collins had fraudulent charges made on her credit card and spent time getting them reversed. On January 20, 2017, Plaintiffs filed a putative class action alleging violation of the Georgia Uniform Deceptive Trade Practices Act ( OCGA § 10-1-370 et seq. ), breach of implied contract, unjust enrichment, and negligence. Plaintiffs also seek a declaratory judgment and attorney fees. They seek reimbursement for costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts, as well as injunctive relief.
We note that Collins does not allege within the complaint that the fraudulent charges were related to the data breach.
On June 26, 2017, the trial court granted AOC's motion to dismiss. The order states, in its entirety:
Before the Court is Defendant [AOC's] motion to dismiss pursuant to OCGA § 9-11-12, which Motion having come on for a hearing on June 14, 2017. Having considered the oral arguments of counsel, the briefs of Plaintiffs and Defendant and all pleadings, but having considered no matters outside the pleadings, it is hereby ORDERED that the Motion to Dismiss is GRANTED.
1. Plaintiffs argue that the trial court erred in considering matters outside the complaint. They point, inter alia, to questions the trial court asked during the hearing on the motion to dismiss. Where matters outside the pleadings are presented, "a further determination has to be made as to whether the trial court excluded them. If the trial court excluded such matters, then the motion is for dismissal. If the trial court considered such matters, then the motion is for summary judgment." (Citation omitted.) Thompson v. Avion Systems, Inc ., 284 Ga. 15, 16-17, 663 S.E.2d 236 (2008). Here, the trial court's order expressly stated that it "considered no matters outside the pleadings[.]" We find no error.
2. Plaintiffs argue, generally, that the trial court erred in dismissing their complaint by implicitly finding that they failed to state a claim and lacked standing under Article III.
(a) Negligence claim . To state a cause of action for negligence in Georgia, the Plaintiffs must show:
(1) A legal duty to conform to a standard of conduct raised by the law for the protection of others against unreasonable risks of harm; (2) a breach of this standard; (3) a legally attributable causal connection between the conduct and the resulting injury; and, (4) some loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty ... It is well-established Georgia law that before an action for a tort will lie, the plaintiff must
show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.
(Citation and punctuation omitted.) Whitehead v. Cuffie , 185 Ga. App. 351, 352-353 (2), 364 S.E.2d 87 (1987). The complaint alleges that
[a]s a direct and proximate result of [AOC's] negligence, Plaintiffs and other Class Members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts over the course of a lifetime.
While we never have addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage" pursuant to Whitehead , supra, some Georgia cases offer guidance.
In Finnerty v. State Bank and Trust Co. , 301 Ga. App. 569, 687 S.E.2d 842 (2009), disapproved on other grounds by Cumberland Contractors, Inc. v. State Bank and Trust Co. , 327 Ga. App. 121, 125 (2), n. 4, 755 S.E.2d 511 (2014), Finnerty, a signatory on a promissory note, counterclaimed against a bank suing him for default. He alleged invasion of privacy and negligence because the bank disclosed his Social Security number in the complaint. Id. at 569, 687 S.E.2d 842. Finnerty argued that he "suffered ‘an increased risk of identity theft’ " and that " ‘non-authorized third parties have access to the otherwise confidential personal information[.]’ " Id. at 572 (4), 687 S.E.2d 842. We affirmed the trial court's grant of summary judgment to the bank, finding that "[a] fear of future damages is too speculative to form the basis for recovery." Id. This Court found that Finnerty "failed to demonstrate that the [b]ank's purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information[.]" Id.
The instant case differs in that Plaintiffs alleged that the "Dark Overlord" had accessed their PII, offered to sell it on the Dark Web, and placed it, at least temporarily, on Pastebin. However, as OCGA § 51-12-8 provides, "[i]f the damage incurred by the plaintiff is only the ... possible result of a tortious act ... such damage is too remote to be the basis of recovery against the wrongdoer." See generally Rite Aid of Ga. v. Peacock , 315 Ga. App. 573, 576 (1) (a) (i), 726 S.E.2d 577 (2012) (in appeal of case alleging, inter alia, breach of contract and unjust enrichment, this Court pretermitted whether the sale of the plaintiff's personal medication information was illegal and reversed class certification, finding a lack of commonality in that "although [plaintiff] felt that the sale of his prescription information to Walgreens was illegal, he could not say that he had suffered any actual financial or physical injury ....)" (punctuation omitted; emphasis in original).
While Finnerty and Rite Aid are factually and procedurally distinct from the present case in that they did not involve motions to dismiss and did not feature theft of PII, they nonetheless suggest that the fact of compromised data is not a compensable injury by itself in the absence of some "loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty[.]" (Citation and punctuation omitted.) Whitehead , supra at 352 (2), 364 S.E.2d 87 .
Further, the instant factual scenario finds a fitting analogue in the context of other torts. In Boyd v. Orkin Exterminating Co. , 191 Ga. App. 38, 40-41 (1), (2), 381 S.E.2d 295 (1989), overruled on other grounds by Hanna v. McWilliams , 213 Ga. App. 648, 651 (2) (b), 446 S.E.2d 741 (1994), the plaintiffs sued Orkin for the negligent application of insecticide in their home. The trial court found that the plaintiffs’ children's claims were barred to the extent that they sought damages for the "increased risk of cancer" to which they had been exposed. In affirming the grant of summary judgment, we explained:
Even assuming arguendo that there was sufficient evidence before the jury to support a finding that Orkin had been negligent in its application of pesticides to the Boyds’ home, there was no evidence that the appellants had sustained any specific injury.... The results of organ function tests conducted on the children were all within normal range.... [Further,] [w ]e reject the appellants’ contention that the jury could have assessed damages against Orkin based on expert testimony that the presence of elevated levels of the heptachlor metabolite in the children's blood itself constituted "injury." Absent any indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind , this testimony must be considered insufficient to support an award of actual damages in any amount.
(Punctuation omitted; emphasis supplied.) Id. at 40 (1), 381 S.E.2d 295. In both Boyd and the case before us, the defendant's alleged negligence exposed Plaintiffs to a risk of harm which may or may not occur, be it disease in Boyd or identity theft in the instant action. What is crucial to our analysis is whether the data theft, as Boyd provides, "had caused or would eventually cause" injury. With regard to the increased risk of harm, we found that the trial court did not err in granting partial summary judgment to Orkin
See generally Pisciotta v. Old Nat. Bancorp. , 499 F.3d 629, 634 (II) (A), 638-640 (II) (B) (2), (3) (7th Cir. 2007) (finding data breach plaintiffs had Article III standing but failed to state a claim because, based on toxic tort and medical monitoring cases, Indiana law did not consider exposure to identity theft and costs of protective measures compensable injury).
on the issue of the appellants’ right to recover for the alleged "increased risk of cancer" to which the children had been exposed as a result of the termite treatments. In those jurisdictions which have allowed recovery for an enhanced future risk of developing a new complication, the claimant has been required to establish a "reasonable medical certainty" that such consequences will occur .... The evidence in the present case falls far short of that standard. The appellants merely produced medical testimony that the children would require monitoring in the future to determine whether they developed health problems due to their exposure to the chemicals.
(Emphasis supplied.) Boyd , supra at 40-41 (2), 381 S.E.2d 295. See also Crawford W. Long Memorial Hosp. v. Hardeman , 84 Ga. App. 306, 306–307 (2), 66 S.E.2d 67 (1951) (in negligence action, plaintiff's allegations regarding future medical expenses likely to be incurred by his wife were too speculative, absent itemization and substantiating facts). Compare In re Arby's Restaurant Group Inc. Litig. , 1:17-mi-55555-AT at 27, 2018 WL 2128441 (N.D. Ga. 2018) (finding that a complaint survived a motion to dismiss where, although "a plaintiff may not recover for injuries that are purely speculative, such as the potential risk of future identity theft , Plaintiffs’ Complaint alleges costs associated with actual data theft ") (footnote omitted; emphasis supplied). Id. See generally Resnick v. AvMed, Inc ., 693 F.3d 1317, 1321-1324 (I)-(II), (V) (A) (11th Cir. 2012) (finding, pursuant to Florida law, that plaintiffs successfully stated a claim for, inter alia, negligence and breach of contract following the theft of company laptops containing their personal information, where they alleged "financial injury" as victims of identity theft and showed that, variously, third parties had opened bank accounts, changed a home address with the United States Postal Service, and activated credit cards, made purchases in one plaintiff's name, and opened and overdrawn an E*Trade account in another plaintiff's name).
Other than decisions of the United States Supreme Court, we are not, of course, bound by federal law, though it is instructive.
Again, Plaintiffs allege that their information has been compromised and that they have spent time placing fraud or credit alerts on their accounts and "anticipate" spending more time on these activities. Plaintiffs claim damages, specifying only the cost of identity theft protection, credit monitoring, and credit freezes to be maintained "over the course of a lifetime." While credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because Plaintiffs seek only to recover for an increased risk of harm. See generally Parker v. Brush Wellman, Inc. , 230 Fed. Appx. 878, 883 (III) (A) (11th Cir. 2007) ("Plaintiffs have failed to point us to any Georgia authority that allows recovery of medical monitoring costs in the absence of a current physical injury, and Boyd [, supra,] suggests that Georgia would not recognize such a claim"). We find that, as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs, which are designed to ward off exposure to future, speculative harm, are insufficient to state a cognizable claim under Georgia law. See Common Cause/Georgia v. Campbell , 268 Ga. App. 599, 600 (1), 602–603 (2), 602 S.E.2d 333 (2004) (where defendant argued that plaintiff lacked standing and failed to state a claim, this Court upheld motion to dismiss because relief sought was not legally cognizable).
As previously set forth, although one Plaintiff alleges she also spent time getting fraudulent charges reversed, she does not allege that the charges were related to or caused by the data breach. See generally Resnick , supra at 1330-1332 (Pryor, J., dissenting) (discussion of view that plaintiffs failed to state a claim where complaint did not allege plausible basis for finding that defendant caused plaintiffs to suffer identity theft).
(b) Breach of implied contract claim . Plaintiffs also argue that the trial court erred in dismissing their claim for breach of implied contract, arguing that they provided their PII to AOC as a required part of receiving care from AOC, and that, in return, AOC promised to safeguard their PII and timely notify them if it was compromised.
AOC contends that there can be no implied contract because an express contract exists between AOC and its patients.
For the reasons outlined in Division 2 (a), in that Plaintiffs have not alleged a legally cognizable claim, their claim for breach of implied contract also must fail. "The elements for a breach of contract claim in Georgia are the (1) breach and the (2) resultant damages (3) to the party who has the right to complain about the contract being broken." (Citation and punctuation omitted.) Roberts v. JP Morgan Chase Bank, Nat. Assoc. , 342 Ga. App. 73, 76 (1), 802 S.E.2d 880 (2017). As outlined above, the harms alleged in the complaint are too speculative under our law to constitute "damages" and the Plaintiffs seek a prophylactic recovery, for which our law does not provide.
Plaintiffs argue that costs such as identity theft protection, credit monitoring, and costs associated with a credit freeze are "classic measures of consequential damages" because they are incurred to mitigate "foreseeable" damages. However, mitigation damages lessen the severity of an injury that already has taken place; if no injury occurred, there is no legally cognizable harm to mitigate. See OCGA § 13-6-5 ("[w]here by a breach of contract a party is injured , he is bound to lessen the damages as far as is practicable ...") (emphasis supplied). See generally Lyon v. Schramm , 291 Ga. App. 48, 52, 661 S.E.2d 178 (2008) (absent injury, there is no duty to mitigate). Thus, since Plaintiffs here have not yet suffered a compensable injury, the costs they reference are prophylactic and may not be recovered as consequential damages.
(c) Declaratory judgment claim . Plaintiffs argue on appeal that the trial court erred in dismissing their declaratory judgment claim. In their complaint, Plaintiffs sought a declaration that AOC is not in compliance with its "existing obligations, and that [AOC] must implement specific additional, prudent security practices" and "provide credit monitoring and identity theft protection" to Plaintiffs.
As an initial matter, Plaintiffs cite to no Georgia authority requiring AOC to provide them with credit monitoring or identity theft protection at this juncture, nor do we discern any. Further, although Plaintiffs contend that they "need court guidance to protect them from the uncertainty of AOC's inability to safeguard their PII[,]" the pleadings do not actually show any uncertainty which a declaration by a court would resolve.
[A] declaratory judgment may not be granted in the absence of a justiciable controversy. The plaintiff must show facts or circumstances whereby it is in a position of uncertainty or insecurity because of a dispute and of having to take some future action which is properly incident to its alleged right, and which future action without direction from the court might reasonably jeopardize its interest.
(Citation and punctuation omitted.) Effingham County Bd. of Com'rs v. Effingham County Indus. Dev. Auth. , 286 Ga. App. 748, 749, 650 S.E.2d 274 (2007). "[W]hen a party seeking declaratory judgment does not show it is in a position of uncertainty as to an alleged right, dismissal of the declaratory judgment action is proper." (Citations and punctuation omitted.) SAWS at Seven Hills, LLC v. Forestar Realty, Inc. , 342 Ga. App. 780, 783 (1), 805 S.E.2d 270 (2017). Here, Plaintiffs already have taken measures to protect themselves from negligent data security by placing alerts on their credit reports. Plaintiffs "need[ ] no direction" to do so. Effingham County Bd. of Com'rs , supra at 750, 650 S.E.2d 274 (declaratory judgment improper where declaration sought addressed things that already had occurred). A declaration would do nothing to clarify Plaintiffs’ rights or their relationship with AOC, and dismissal was proper.
To the extent that Plaintiffs argue that the "uncertainity" is whether AOC should protect their confidential financial information, such argument is a non-starter. As far as we can tell, that AOC must protect this information is not a contested point, only whether AOC failed to do so and whether Plaintiffs have suffered any damages therefrom.
(d) Claims under the Georgia Uniform Deceptive Trade Practices Act . Next, Plaintiffs argue that the trial court erred in dismissing their claims under the Georgia Uniform Deceptive Trade Practices Act ("the UDTPA"), OCGA § 10-1-370 et seq. We disagree.
A person likely to be damaged by a deceptive trade practice of another may be granted an injunction against it under the principles of equity and on terms that the court considers reasonable. Proof of monetary damage, loss of profits, or intent to deceive is not required....
OCGA § 10-1-373 (a). See generally OCGA § 10-1-372. Without clearly indicating what injunctive relief they seek, Plaintiffs argue that AOC engaged in, inter alia, unfair and deceptive trade practices by failing to provide reasonable and adequate security for their data, that AOC knew or should have known its data security was inadequate and its omissions regarding its ability to provide such security "was an act likely to mislead" Plaintiffs, that the data breach left AOC's systems "even more vulnerable to future unauthorized action," and that Plaintiffs "will suffer damages in the future" including the cost of identity theft protection and credit monitoring.
The UDTPA offers only injunctive relief where the plaintiff has established a likelihood of damage. See generally Moore-Davis Motors, Inc. v. Joyner , 252 Ga. App. 617, 619 (3), 556 S.E.2d 137 (2001). The UDTPA does not address past harm. Catrett v. Landmark Dodge, Inc ., 253 Ga. App. 639, 644 (3), 560 S.E.2d 101 (2002). To state a claim and to establish standing under the UDTPA, Plaintiffs must allege that they are likely to be damaged in the future by an unfair trade practice. See OCGA § 10-1-373 (a). Friedlander v. HMS-Pep Products, Inc. , 226 Ga. App. 123, 124-125 (1) (a), 485 S.E.2d 240 (1997) (To establish standing under the UDTPA, plaintiff must show a likelihood of future damage.). Accord Iler Group, Inc. v. Discrete Wireless, Inc ., 90 F.Supp.3d 1329, 1342 (III) (B) (1) (N. D. Ga. 2015) (discussing statutory standing under the UDTPA). See also Bolinger v. First Multiple Listing Svc., Inc. , 838 F.Supp.2d 1340, 1365 (V) (B) (N. D. Ga. 2012) (discussing statement of claim under UDTPA).
Plaintiffs do not allege any future, nonspeculative harm which an injunction would remedy. It is impossible to say whether the Dark Overlord or anyone else with access to the stolen data actually will use that data. To receive relief, "[a]t the very minimum, [Plaintiffs] must show some causal connection between something [AOC] has done and [their] own non-speculative damages[.]" (Emphasis supplied.) Friedlander , supra at 125 (1) (a), 485 S.E.2d 240 (plaintiff failed to show likelihood of damage by competitors’ weight loss products where plaintiff had not yet marketed his own weight loss product). The trial court did not err.
Indeed, given that the data has already been exposed to the Dark Overlord, we are unable to determine how the injunction would provide any benefit to the Plaintiffs, or even what it would enjoin.
(e) Unjust enrichment claim . Plaintiffs argue that the trial court erred in dismissing their claim for unjust enrichment. Plaintiffs’ claim for unjust enrichment is predicated upon AOC's alleged failure to provide reasonable security for their data and its "fail[ure] to disclose" to Plaintiffs that "its computer systems and security practices were inadequate to protect their PII against theft."
In this claim, Plaintiffs again seek "free" credit monitoring and identity theft protection, and "restitution" of payments they may have made for such services. See Zampatti v. Tradebank Intl. Franchising Corp ., 235 Ga. App. 333, 340 (5), 508 S.E.2d 750 (1998) ("benefit is measured from the standpoint of the [defendant] upon whom such benefits were conferred ... and not upon the cost [to the plaintiff] to render the service or cost of the goods").
Unjust enrichment is an equitable concept and applies when as a matter of fact there is no legal contract, but when the party sought to be charged has been conferred a benefit by the party contending an unjust enrichment which the benefitted party equitably ought to return or compensate for. A claim for unjust enrichment is not a tort, but an alternative theory of recovery if a contract claim fails.
(Citations and punctuation omitted.) Wachovia Ins. Svcs., Inc. v. Fallon , 299 Ga. App. 440, 449 (6), 682 S.E.2d 657 (2009). Here, Plaintiffs "did not plead unjust enrichment as an alternate theory of recovery based on a failed contract. Thus, [their] claim for such relief cannot succeed." Cash v. LG Electronics, Inc ., 342 Ga. App. 735, 742 (2), 804 S.E.2d 713 (2017).
Plaintiffs’ unjust enrichment claim is somewhat different in structure from that outlined by our statute. OCGA § 9-2-7 provides, "Ordinarily, when one renders a service or transfers property which is valuable to another, which the latter accepts, a promise is implied to pay the reasonable value thereof." Here, Plaintiffs essentially argue that they paid money for medical care, to which personal data security was an incidental, yet included, term of such contract.
(f) Attorney fees . Plaintiffs argue that the trial court erred in dismissing their claim for attorney fees under OCGA § 13-6-11. However, attorney fees and litigation expenses under OCGA § 13-6-11 are "ancillary and recoverable only where other elements of damage are recoverable on the underlying claim[s]." (Citation and punctuation omitted.) Sparra v. Deutsche Bank Nat. Trust Co. , 336 Ga. App. 418, 423 (1) (f), 785 S.E.2d 78 (2016). Because of our decision in Division 2 (a)-(e), this claim does not survive.
Judgment affirmed.
Rickman, J., concurs. McFadden, P. J., concurs in Division 1 and dissents in Division 2.*
* DIVISION 2 OF THIS OPINION IS PHYSICAL PRECEDENT ONLY. SEE COURT OF APPEALS RULE 33.2 (a).
McFadden, Presiding Judge, concurring in part and dissenting in part.
Athens Orthopedic Clinic filed a two-part motion to dismiss: it moved to dismiss the entire complaint under OCGA § 9-11-12 (b) (1) due to lack of subject-matter jurisdiction because of the plaintiffs’ alleged lack of standing, and it moved to dismiss each claim for relief under OCGA § 9-11-12 (b) (6) due to the failure to state a claim. I would reverse the trial court's order granting the motion to dismiss because the plaintiffs have alleged facts sufficient to establish their standing. I would remand the case for further proceedings. So I dissent to Division 2 of the majority opinion. I concur in Division 1 because I agree with the majority that the plaintiffs failed to demonstrate that the trial court considered matters outside the complaint, given the trial court's explicit statement otherwise.
1. Standing is jurisdictional and should be addressed at the outset.
The majority does not address the issue of standing, instead implicitly pretermitting the issue and affirming the order of dismissal on the ground that the plaintiffs fail to state any claims. But standing "is jurisdictional and must be assessed before reaching the merits." Byrd v. United States , ––– U.S. ––––, –––– (IV), 138 S.Ct. 1518, 1530, 200 L.Ed.2d 805 (2018). "Jurisdiction of a court to afford the relief sought is a matter which should be decided preliminarily, at the outset. Jurisdiction either exists or does not exist without regard to the merit of the case." Whitlock v. Barrett , 158 Ga. App. 100, 103, 279 S.E.2d 244 (1981). See also Ruhrgas Ag v. Marathon Oil Co. , 526 U.S. 574, 577, 119 S.Ct. 1563, 143 L.Ed.2d 760 (1999) (federal courts may not pretermit the issue of jurisdiction even where the merits question is more readily resolved and the prevailing party on the merits would be the same as the prevailing party were jurisdiction denied).
Standing requires, among other things, that the plaintiffs have suffered an "injury in fact." Lujan v. Defenders of Wildlife , 504 U.S. 555, 560 (II), 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (punctuation omitted). And injury in fact is necessary for any cause of action the plaintiffs might claim, so an analysis of the standing issue is logically precedent to an analysis of the plaintiffs’ particular causes of action. Accordingly I would address the issue of standing.
The trial court did not specify whether he was granting the motion to dismiss under OCGA § 9-11-12 (b) (1) or (b) (6). Such a specification is important. For one thing, dismissals under OCGA § 9-11-12 (b) (1) are without prejudice, Pinnacle Benning, LLC v. Clark Realty Capital, LLC , 314 Ga. App. 609, 618 (2) (a), 724 S.E.2d 894 (2012), while dismissals under OCGA § 9-11-12 (b) (6) are on the merits and with prejudice. Jordan, Jones & Goulding v. Balfour Beatty Constr ., 246 Ga. App. 93, 93 (1), 539 S.E.2d 828 (2000). See also OCGA § 9-11-41 (b).
2. The merits of the standing issue.
This case presents an issue of first impression for our court. Neither we, the Georgia Supreme Court, nor the Eleventh Circuit has decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing. See Resnick v. AvMed , 693 F.3d 1317, 1323 (III) n. 1 (11th Cir. 2012) ("Some of our sister Circuits have found that even the threat of future identity theft is sufficient to confer standing in similar circumstances. As Plaintiffs have alleged only actual—not speculative—identity theft, we need not address the issue of whether speculative identity theft would be sufficient to confer standing.") (citations omitted). But the federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing. And applying that rule here, leads to the conclusion that the plaintiffs have standing.
"[I]n the absence of our own authority we frequently have looked to United States Supreme Court precedent concerning Article III [ (U. S. Const., Art. III, § 2) ] standing to resolve issues of standing to bring a claim in Georgia's courts." Center for a Sustainable Coast v. Turner , 324 Ga. App. 762, 764, 751 S.E.2d 555 (2013) (citation and punctuation omitted). Under that authority, the United States Supreme Court has held, "[a]n injury sufficient to satisfy Article III must be concrete and particularized and actual or imminent, not conjectural or hypothetical[, but a]n allegation of future injury may suffice if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur." Susan B. Anthony List v. Driehaus , 573 U.S. 149, –––– (III) (A), 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) (citations and punctuation omitted; emphasis supplied). And the United States Circuit Courts of Appeal have, of course, uniformly applied that rule. See, e.g., Klayman v. President of the United States , 689 F. Appx. 921, 923 (11th Cir. 2017) ("An allegation of future injury may suffice if the threatened injury is substantially certain to occur."); Reddy v. Foster , 845 F.3d 493, 500 (II) (A) (1st Cir. 2017) ; Kenny v. Wilson , 885 F.3d 280, 287 (II) (4th Cir. 2018). See also Parker v. Leeuwenburg , 300 Ga. 789, 796 (2), 797 S.E.2d 908 (2017) (Peterson, J., dissenting) ("Evidence of future injury may suffice to constitute an injury in fact if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur .") (citation and punctuation omitted; emphasis supplied). We should follow the rule uniformly adopted by the federal courts. Applying the rule here leads to the conclusion that the plaintiffs have standing.
The plaintiffs allege that due to the hackers obtaining their personal information, there is an "imminent threat that their personal information will be used to their detriment." They allege that the FBI had warned that health care systems were at risk of hacking because of "a higher financial payout for medical records in the black market," implying that such information is at risk of being offered for sale. They allege that their personally identifiable information, including insurance policy identification numbers, home addresses, dates of birth, ages, phone numbers, email addresses, and social security numbers, was offered for sale, and some of the information was posted to a public file-sharing storage website that facilitates the sharing of online data. The plaintiffs allege that they and other potential class members "face the imminent and substantial risk of future injury." One of the named plaintiffs already had fraudulent charges made using her credit card.
I would not indulge these thieves by using the comically grandiose name they have given themselves. They are common criminals, and we should not glamorize them.
The plaintiffs’ allegations of future injury show a substantial risk that harm will occur. The allegations thus suffice to establish standing. Compare Ree v. Zappos.com , 888 F.3d 1020 (9th Cir. 2018) (customers whose personal identifying information, including names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information, was allegedly stolen by hackers, but who did not allege that the information had been used to conduct financial transactions, had Article III standing to bring class action based on a substantial risk that the hackers would commit identity fraud or identity theft); Attias v. Carefirst , 865 F.3d 620, 629 (III) (D.C. Cir. 2017), cert. denied ("[n]o long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs [who were victims of a data breach] will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken"); Galaria v. Nationwide Mut. Ins. Co. , 663 F. Appx. 384, 388 (II) (A) (6th Cir. 2016) (plaintiffs, whose personal information was stolen when defendant's network was hacked, adequately alleged Article III standing because they alleged that the theft of their personal data placed them at a continuing, increased risk of fraud and identity theft, that their injuries were fairly traceable to defendant's conduct, and a favorable verdict would provide redress); Remijas v. Neiman Marcus Group, LLC , 794 F.3d 688, 693 (II) (A) (7th Cir. 2015) ("Why else would hackers break into a store's database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.") with Katz v. Pershing, LLC , 672 F.3d 64, 80 (II) (C) (2) (1st Cir. 2012) (plaintiff's increased risk of unauthorized access and identity theft theory insufficient to constitute "actual or impending injury" because plaintiff failed to "identify any incident in which her data has ever been accessed by an unauthorized person"); and Reilly v. Ceridian Corp ., 664 F.3d 38, 42 (III) (B) (3d Cir. 2011) (allegations of possible future injury insufficient to satisfy standing requirements).
Because I would find that the plaintiffs established standing by alleging an injury in fact, I would reverse the trial court. I would remand the case for the trial court to reconsider Athens Orthopedic Clinic's OCGA § 9–11–12 (b) (6) motion in light of this finding.