[BreachExchange] Georgia Supreme Court Considers Data Breach Damages Case

[Destry Winant]

https://www.govtech.com/security/Georgia-Supreme-Court-Considers-Data-Breach-Damages-Case.html

(TNS) — In the spring of 2016, a cyberthief calling himself the “Dark
Overlord” hacked into the databases of a Clarke County medical clinic
and emerged with the personal information of an estimated 200,000
patients.

The Athens Orthopedic Clinic refused to pay the hacker’s ransom and
advised current and former patients to set up anti-fraud protections.
Now a lawsuit filed by three of those patients — demanding that the
clinic pay damages — could set a precedent in Georgia, where reports
of data breaches have been soaring.

On Tuesday, the Georgia Supreme Court heard arguments that revolved
around a key question: Must a data breach victim suffer actual
financial loss to be compensated under the law? Or is the threat of
future harm enough?

Their answer could have broad ramifications. Atlanta-based Equifax,
Georgia Tech and the Georgia Secretary of State’s Office are just some
of the places where breaches have exposed the data of millions of
people.

Equifax, based in Atlanta, was the victim of a data breach in September 2017.

The lawsuit considered Tuesday alleges that Athens Orthopedic, which
has been providing medical care since 1966, was negligent for the
breach. The plaintiffs, all women, are seeking damages for what they
have already paid and what they may have to pay in the future for
credit monitoring, identity theft protection or placing credit freezes
on their accounts.

So far, they have been unsuccessful. In a 2-1 decision last year, the
state Court of Appeals ruled that because the plaintiffs suffered no
actual financial loss or harm, they are not entitled to recover
damages for potential, or future, injuries. But the Supreme Court’s
decision to take a look at that lower court ruling indicates some of
the justices may not be happy with it.

In other data-breach cases, U.S. District Court judges have allowed
similar complaints to proceed against companies such as Target, Home
Depot, Anthem and Equifax. But in those cases, federal judges did not
have to apply Georgia law, which the justices must do in the Athens
Orthopedic litigation.

After finding out about the breach, the Athens Orthopedic notified
about 200,000 of its current and former patients that the hacked data
included their names, addresses, Social Security numbers, dates of
birth and telephone numbers. It advised clients to place fraud alerts
on their credit accounts and seek other advice.

The women’s lawsuit disclosed that some of the stolen information was
offered for sale on the dark web — an encrypted network of websites
not accessed by most people. The suit also said some of the
information had been made available, at least temporarily, on a
data-storage website.

Attorney David Bain, who represents the female plaintiffs, reminded
the Supreme Court’s justices on Tuesday that his clients’ personal
information was stolen by a criminal, not compromised by some
inadvertent mistake. “And it will be exposed for the rest of their
lives,” Bain said.

The response from Athens Orthopedic, Bain added, “has been
disappointing to say the least.” The clinic maintains that Georgia law
does not allow the women to receive financial compensation, “and that
is what you’re going to get,” he said.

Attorney John Dalbey, who represents the clinic, argued that an injury
in the legal sense is physical harm, harm to property or a financial
loss. The prophylactic steps taken by the women to prevent anything
bad from happening in the future is not the same, he said.

“Yes, it is perhaps a harsh result,” Dalbey acknowledged. “It is
something for the Legislature to address.”

But a number of justices did not appear to be satisfied with Dalbey’s position.

Justice Sarah Warren said it seemed logical that the Dark Overlord
hacked the patients’ information with nefarious intent. Justice Nels
Peterson agreed and said, with that in mind, don’t the clinic’s
patients have a duty to mitigate what could happen next?

What if you’re mugged by some criminal who takes your keys? Justice
David Nahmias asked. Wouldn’t you have to change your locks to make
sure that person doesn’t break into your home or office?

“It would be prudent to do so,” Dalbey responded. “But it’s not required.”

That answer didn’t satisfy Nahmias.

So we all have to wait until hundreds of thousands of people are
victims of identity theft? Nahmias asked. “Until that day your life is
ruined you get nothing? That is a very odd view of the law.”

The court is expected to issue its ruling in the coming months.