The Georgia Supreme Court recently decided that state agencies owe no duty to protect Georgia citizen’s personal data.
From a recent Womble client alert:
According to the highest court in the state, Georgia state government does not have an inherent obligation to protect citizens’ personal or sensitive data like social security numbers or status on the unemployment rolls. This decision was taken without consideration of damage to the plaintiff citizens whose data was negligently distributed.
On May 20, 2019, the Georgia Supreme Court issued a landscape-changing privacy decision which, in the absence of a special relationship, rids Georgia governmental entities of the general duty to safeguard personal information given to them. Now, entities must be careful when contracting with Georgia governmental entities if sharing personal information. Companies should also consider contractual protections addressing exchanges of personal information going to the government, and mandate that information is kept according to certain information security practices.
This case arose because the Georgia Department of Labor (the “Department”) created a spreadsheet containing personal information (some of which is considered “sensitive information”) and shared it without permission of the individuals whose information was in the spreadsheet. Specifically, the spreadsheet contained the name, social security number, home telephone number, e-mail address, and age of 4,757 individuals who applied for unemployment benefits and other services administered by the Department. The Department mistakenly sent that spreadsheet to 1,000 recipients without the individuals’ permission. The individuals sued the Department, alleging the Department was negligent and breached its fiduciary duty, among other privacy tort claims.
The Plaintiffs tried several arguments to show that the Department owed them a duty to protect plaintiff’s information, and the Court shot them all down. If you are interested in the specific arguments, click the link above and read the alert.
Of course, Georgia has no specific law granting people privacy rights in the information describing those people that is held by government or businesses. This decision would be unthinkable in California, where not only CCPA but its predecessors grant people rights in data. And given that the trend is toward state legislatures considering deeper protection every day (https://statedatauselaw.com/), is this decision merely an outlier that will soon be swamped in a deluge of new US resident data rights? Probably.
But a decision like this could also be the start of a counter-reformation – a pushback against the Europeanization of US data laws. It may be influential where a court is skeptical of creating new rights and loading more burdens on business and bureaucracy. Federal courts in particular may be looking for a set of arguments to slow the progress of newly conceived privacy rights, especially now that California has potentially removed the necessity of proving damages to succeed in a case of personal data exposure.
This may especially be true in the many cases of data exposure through negligence, hacking or stolen portable computers. Life intrudes on all of us. We make mistakes. Hordes of hackers are attacking us every day. Things are lost. Until now, may courts have operated under the apparent assumption that a business or government has a duty to protect resident data, and that any exposure meant that the data holder should be accountable. In cases of inadvertent exposure, especially for material exposed by skilled hackers, the data holder can be viewed as much of a victim as the subject of the exposed data.
I can hear the violent screams of millions of Europeans if they were ever to read this statement, and I am not advocating for “data losing business as victim” position. I am simply noting that some courts, when weighing the requirements on business and government, may be looking for a hook to hang an argument protecting the defendant from spending thousands or millions of dollars on a clerical error or a successful attack. No US court that I have seen has yet established data security standards to determine when such a mistake is a breach of duty and when it is simply an error with no consequence. The Georgia Supreme Court has now provided a hook to find for a mistaken defendant without needing to dig into the technical morass of ruling on data security standards.
Certain courts in the future may appreciate such an option.