Georgia Supreme Court: Are data breach victims entitled to damages?

State’s highest court considers precedent-setting case
Some patient records obtained in a hack of Athens Orthopedic Clinic may be for sale online. (Credit: Athens Banner-Herald)

Some patient records obtained in a hack of Athens Orthopedic Clinic may be for sale online. (Credit: Athens Banner-Herald)

In the spring of 2016, a cyber thief calling himself the “Dark Overlord” hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients.

The Athens Orthopedic Clinic refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients — demanding that the clinic pay damages — could set a precedent in Georgia, where reports of data breaches have been soaring.

On Tuesday, the Georgia Supreme Court heard arguments that revolved around a key question: must a data breach victim suffer actual financial loss to be compensated under the law? Or is the threat of future harm enough?

Their answer could have broad ramifications. Atlanta-based Equifax, Georgia Tech and the Georgia Secretary of State’s Office are just some of the places where breaches have exposed the data of millions of people.

Equifax, based in Atlanta, was the victim of a data breach in September 2017

icon to expand image

The lawsuit considered Tuesday alleges that Athens Orthopedic, which has been providing medical care since 1966, was negligent for the breach. The plaintiffs, all women, are seeking damages for what they have already paid and what they may have to pay in the future for credit monitoring, identity theft protection or placing credit freezes on their accounts.

So far, they have been unsuccessful. In a 2-1 decision last year, the state Court of Appeals ruled that because the plaintiffs suffered no actual financial loss or harm, they are not entitled to recover damages for potential, or future, injuries. But the Supreme Court’s decision to take a look at that lower court ruling indicates some of the justices may not be happy with it.

RELATED: Equifax to pay at least $600 million to settle data breach complaints

In other data-breach cases, U.S. District Court judges have allowed similar complaints to proceed against companies such as Target, Home DepotAnthem and Equifax. But in those cases, federal judges did not have to apply Georgia law, which the justices must do in the Athens Orthopedic litigation.

After finding out about the breach, the Athens Orthopedic notified about 200,000 of its current and former patients that the hacked data included their names, addresses, Social Security numbers, dates of birth and telephone numbers. It advised clients to place fraud alerts on their credit accounts and seek other advice.

The women’s lawsuit disclosed that some of the stolen information was offered for sale on the dark web — an encrypted network of websites not accessed by most people. The suit also said some of the information had been made available, at least temporarily, on a data-storage website.

Attorney David Bain, who represents the female plaintiffs, reminded the Supreme Court’s justices on Tuesday that his clients’ personal information was stolen by a criminal, not compromised by some inadvertent mistake. “And it will be exposed for the rest of their lives,” Bain said.

Atlanta lawyer David Bain. (Law Offices of David A. Bain)

icon to expand image

The response from Athens Orthopedic, Bain added, “has been disappointing to say the least.” The clinic maintains that Georgia law does not allow the women to receive financial compensation, “and that is what you’re going to get,” he said.

Attorney John Dalbey, who represents the clinic, argued that an injury in the legal sense is physical harm, harm to property or a financial loss. The prophylactic steps taken by the women to prevent anything bad from happening in the future is not the same, he said.

“Yes, it is perhaps a harsh result,” Dalbey acknowledged. “It is something for the Legislature to address.”

But a number of justices did not appear to be satisfied with Dalbey’s position.

Atlanta lawyer John Dalbey. (Chilivis, Cochran, Larkins & Bever)

icon to expand image

Justice Sarah Warren said it seemed logical that the Dark Overlord hacked the patients’ information with nefarious intent. Justice Nels Peterson agreed and said, with that in mind, don’t the clinic’s patients have a duty to mitigate what could happen next?

What if you’re mugged by some criminal who takes your keys? Justice David Nahmias asked. Wouldn’t you have to change your locks to make sure that person doesn’t break into your home or office?

Justice David E. Nahmias during oral arguments before the Georgia Supreme Court. (DAVID BARNES / DAVID.BARNES@AJC.COM)

icon to expand image

“It would be prudent to do so,” Dalbey responded. “But it’s not required.”

That answer didn’t satisfy Nahmias.

So we all have to wait until hundreds of thousands of people are victims of identity theft? Nahmias asked. “Until that day your life is ruined you get nothing? That is a very odd view of the law.”

The court is expected to issue its ruling in the coming months.