In Dept. of Labor v. McConnell, the Georgia Supreme Court affirmed that an individual could not pursue certain state-law claims for negligence, breach of fiduciary duty or invasion of privacy, where the disclosure of personal data was not alleged to have been through a criminal act or have resulted directly in identity theft or unauthorized charges.
The Decision
In Sept. 2012, the Georgia Department of Labor created a spreadsheet containing names, social security numbers and other identifying details of 4,757 individuals who had applied for Department benefits or other services. Almost a year later, a Department employee inadvertently emailed the spreadsheet to approximately 1,000 other applicants, without obtaining permission from Thomas McConnell or any of the other individuals whose personal information was included in the spreadsheet.
McConnell filed suit in 2014, alleging that the Department was subject to suit under Georgia’s Tort Claims Act and therefore was liable for negligence, breach of fiduciary duty, and invasion of privacy. After affirming the Court of Appeals’ holding that the Department was subject to suit under the Georgia Tort Claims Act, the Court first addressed McConnell’s negligence claim. In Georgia as in other states, a private negligence claim must allege the existence of a duty to the plaintiff; a breach of that duty; and an injury to the plaintiff that was a proximate result of the breach.
McConnell claimed that Georgia common law created a general duty “to all the world not to subject [others] to an unreasonable risk of harm”. He also claimed that Georgia’s IDENTITY THEFT § 10-1-910 – Legislative findings and prohibition against public display or posting of an individual’s social security number (OCGA § 10-1-393.8) created an implied duty of care supporting a negligence claim. The Court rejected both claims, first disapproving as precedent the prior decision and language that McConnell cited as creating a legal duty “to all the world.”
The Court then rejected McConnell’s statute-based claims by noting that Georgia’s “Legislative findings” statute “does not explicitly establish any duty, nor does it prohibit or require any conduct at all.” The prohibition against public display or posting of a social security number likewise was held inapplicable, because to “‘publicly post’ or ‘publicly display’ means to intentionally communicate or otherwise make available to the general public.” The complaint alleged only a negligent disclosure, not an intentional one.”
The Court upheld dismissal of McConnell’s claim for breach of fiduciary duty in similar fashion. McConnell alleged that a general “Trustee” clause of the Georgia Constitution created a general fiduciary duty to protect personal information. Alternatively, McConnell claimed that the Department of Labor created a confidential relationship—and therefore a specific fiduciary duty—by requiring McConnell and other applicants to provide personal information in order to receive benefits. The Court rejected the “Trustee clause” argument, holding that it is applied only when a Georgia official obtained or stood to obtain personal benefit from performing official duties.
The Court rejected McConnell’s argument for a specific fiduciary duty by looking to Georgia’s statutory definition of confidential relations: “a relationship in which ‘one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as the relationship between partners, principal and agent, etc.'” The Court stated that the “gatekeeper” function of requiring “personal information in order to receive benefits … is common between citizens and government agencies and is insufficient to show a fiduciary relationship.”
The Court then upheld dismissal of McConnell’s claim for invasion of privacy by noting that the basis for the claim, if any, was limited to “public disclosure of embarrassing facts about the plaintiff.” The Court held that disclosure of “name, social security number, home telephone number, email address, and age” do “not normally affect a person’s reputation” and “were not offensive and objectionable.”
Discussion
The Georgia Court of Appeals had noted that “our legislature has so far not acted to establish a standard of conduct intended to protect the security of personal information, as some other jurisdictions have done in connection with data protection and data breach notification laws.” As such, McConnell may be another example of judicial reluctance to make potentially broad policy pronouncements on the limited facts of an individual case.
Indeed, this McConnell decision actually was the Court’s second consideration of the case. In 2018, the Court had remanded the case for the Court of Appeals to decide specifically whether, as a matter of subject-matter jurisdiction, the Georgia Tort Claims Act had waived sovereign immunity as to McConnell’s claims.[1]
McConnell also illustrates judicial reluctance to read statutory language broadly when applying it to a new context. Georgia’s Legislative findings statute did not prescribe a specific obligation or remedy, so the Court declined to imply one. Instead of reading the § 10-1-393.8 prohibition “to intentionally communicate or otherwise make available to the general public [an individual’s social security number]” as intending a disjunctive “or,” the Court read the entire phrase to be predicated upon an intentional disclosure.
Finally, McConnell shows judicial reluctance to extend existing common law remedies where the foreseeability of the proposed extension and extent of case-specific injuries are unclear. The Court seemed to hold that common administrative functions cannot establish a fiduciary relationship based upon “a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith[.]” Similarly, the Court declined to extend Georgia’s existing tort law protection against invasion of privacy for “public disclosure of embarrassing private facts” beyond claims based upon disclosure of “objectionable and offensive matters.”
Practical Points
Courts remain concerned with threshold issues of standing to sue and subject-matter jurisdiction. Additionally, the United States Supreme Court has reinforced territoriality as a principle for deciding where a proceeding may be filed.[2] . Thus, in maintaining a data privacy and security program, priority attention may be given to those jurisdictions where a business is headquartered, or conducts most of its business that involves collection, processing or storage of protected personal information.
Also, courts may look narrowly at existing law to fill apparent gaps for data breach claims. Georgia is not the only jurisdiction to hold that negligent disclosure of personal, benefits-related data does not support an “unreasonable publicity” claim for invasion of privacy, or a breach of fiduciary duty claim.[3]. Courts that have recognized common law rights of action have based them on specific (alleged) facts of the relationship between the parties in the case.[4] Similarly, some courts have affirmed in the data breach context that a person has a general duty to safeguard others from consequences of a risk that the person allegedly has created.[5] Although McConnell disavowed the existence of a duty “to all the world,” the Court specifically noted that “[w]e also do not consider whether a duty might arise on these or other facts from any other statutory or common law source, as no such argument has been made here.”
Finally, activities of and implications for government agencies may be noteworthy. McConnell may have devoted significant attention to sovereign immunity because if waived, the Georgia agency would have been “liable for such torts in the same manner as a private individual or entity would be liable under like circumstances” (subject to statutory exceptions). Applicable government agency practices in data privacy and security therefore may suggest reasonable conduct for private persons in similar circumstances.
[1] Compare, Fed. R. Civ. P. 12(h)(3) (“If the court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action”); Frank v. Gaos, 586 U.S. __, 139 S.Ct. 1041 (3/20/2019) (where “Google moved to dismiss for lack of standing three times,” the Court remanded for another round to resolve “a wide variety of legal and factual issues not addressed in the merits briefing before us or at oral argument”). “We have an obligation to assure ourselves of litigants’ standing under Article III.” Id.
[2] See Bristol-Myers Squibb Co. v. Superior Court of California, 582 U.S. __, 137 S.Ct. 1773 (2017) (non-resident plaintiffs failed to show personal jurisdiction for state court to adjudicate product liability claims with those of resident plaintiffs) (“For general jurisdiction, the ’paradigm forum’ is an ‘individual’s domicile,’ or, for corporations, ‘an equivalent place, one in which the corporation is fairly regarded as at home.’”)
[3] McKenzie v. Allconnect, Inc., 369 F. Supp.3d 810 (E.D. Ky. 3/28/2019).
[4] See also, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011); In re Arby’s Rest. Grp. Inc. Litig., No. 1:17-cv-0514-AT, 2018 WL 2128441 (N.D. Ga. 3/5/2018); Castillo v. Seagate Tech., LLC, No. 16-cv-01958-RS, 2016 WL 9280242 (N.D. Cal. 9/14/2016); (all recognizing “an implied contract to protect the personal information … in data breach situations”).
[5] Dittman v. UPMC, 196 A.3d 1036, 1046-47 (Pa. 2018).