307 Ga. 555 FINAL COPY
S19G0007. COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC, P.A.
PETERSON, Justice.
When a criminal steals consumers’ sensitive personal data,
what do those consumers have to plead against the allegedly
negligent business from whom the data was stolen to show a legally
cognizable injury under Georgia tort law? The Court of Appeals has
held in cases involving the exposure of personal information that the
failure to show that the information had actually fallen into criminal
hands, let alone that the information was used to the consumers’
detriment, meant that plaintiffs had failed to show a legally
cognizable injury. But this case, which was dismissed on the
pleadings despite allegations of large-scale criminal activity, falls
into a different category of data-exposure cases. The plaintiffs here,
current or former patients of the defendant medical clinic, brought
a putative class action after the clinic informed them that a hacker had stolen their personal data from the clinic. We conclude that the
injury the plaintiffs allege that they have suffered is legally
cognizable. Because the Court of Appeals held otherwise in
affirming dismissal of the plaintiffs’ negligence claims, we reverse
that holding. Because that error may have affected the Court of
Appeals’s other holdings, we vacate those other holdings and
remand the case.
1. Background.
The complaint, verified by each of the named plaintiffs, alleges
that in June 2016 an anonymous hacker stole the personally
identifiable information, including social security numbers,
addresses, birth dates, and health insurance details, of at least
200,000 current or former patients of Athens Orthopedic Clinic (“the
Clinic”) from the Clinic’s computer databases. Those current or
former patients included named plaintiffs Christine Collins,
Paulette Moreland, and Kathryn Strickland. According to the
allegations contained in the complaint, the hacker demanded a
ransom, but the Clinic refused to pay. The hacker offered at least
2 some of the stolen personal data for sale on the so-called “dark web,”
and some of the information was made available, at least
temporarily, on Pastebin, a data-storage website. The Clinic notified
the plaintiffs of the breach in August 2016.
The plaintiffs allege that because their personal data has been
“compromised and made available to others on the dark web,
criminals are now able to assume Class Members’ identit[ies] and
fraudulently obtain credit cards, issue fraudulent checks, file tax
refund returns, liquidate bank accounts, and open new accounts, all
in Class Members’ names.” Each named plaintiff alleges that she
has “spent time calling a credit reporting agency and placing a fraud
or credit alert on her credit report to try to contain the impact of the
data breach and anticipates having to spend more time and money
in the future on similar activities.” Collins also alleges that
fraudulent charges to her credit card were made “[s]hortly” after the
data breach and that she spent time getting the charges reversed by
the card issuer. And the complaint alleges that “[e]ven Class
Members who have not yet experienced identity theft or are not yet
3 aware of it nevertheless face the imminent and substantial risk of
future injury.”
In their suit against the Clinic, the plaintiffs sought class
certification and asserted claims for negligence, breach of implied
contract, and unjust enrichment. They sought damages based on
costs related to credit monitoring and identity theft protection, as
well as attorneys’ fees. They also sought injunctive relief under the
Georgia Uniform Deceptive Trade Practices Act, OCGA § 10-1-370
et seq. (“UDTPA”), and a declaratory judgment to the effect that the
Clinic must take certain actions to ensure the security of class
members’ personal data in the future. The Clinic filed a motion to
dismiss based on both OCGA § 9-11-12 (b) (1) and OCGA § 9-11-12
(b) (6), which the trial court granted summarily.
A divided panel of the Court of Appeals affirmed. See Collins
v. Athens Orthopedic Clinic, 347 Ga. App. 13 (815 SE2d 639) (2018).
The Court of Appeals concluded that the plaintiffs’ negligence claim
was properly dismissed because the plaintiffs “seek only to recover
for an increased risk of harm.” Id. at 18 (2) (a). The majority
4 concluded that although the credit monitoring and other
precautionary measures alleged by the plaintiffs were “undoubtedly
prudent,” they were “designed to ward off exposure to future,
speculative harm” and thus “insufficient to state a cognizable claim
under Georgia law.” Id.1
Then-Presiding Judge McFadden dissented from that holding,
concluding that the plaintiffs had standing to bring their claims
given that their allegations of future injury show a substantial risk
that harm will occur. Collins, 347 Ga. App. at 22-25 (1)-(2)
(McFadden, P. J., concurring in part and dissenting in part). We
granted the plaintiffs’ petition for certiorari to consider whether the
1 The Court of Appeals majority explicitly held that the plaintiffs’ claim
for breach of implied contract failed for the same reason that their negligence claim failed — they had not sufficiently alleged a cognizable injury. See Collins, 347 Ga. App. at 18-19 (2) (b). The majority’s incorrect resolution of the question of whether the plaintiffs had sufficiently pleaded a cognizable injury for negligence purposes may have affected its consideration of other claims, as well. The majority held that the declaratory judgment claim failed because the pleadings do not show any uncertainty that a court declaration would resolve; that the UDTPA claim was properly dismissed because the plaintiffs did not allege any future, nonspeculative harm that an injunction would remedy; and that the unjust enrichment claim failed because it was not pleaded as an alternate theory of recovery based on a failed contract. Collins, 347 Ga. App. at 19-22 (2) (c) - (e). These holdings should be revisited on remand. 5 Court of Appeals erred in holding that the plaintiffs failed to allege
a legally cognizable injury. We conclude that the plaintiffs did allege
a cognizable injury.
2. The Georgia case law relied on by the Court of Appeals is inapplicable for two reasons.
“It is well established that to recover for injuries caused by
another’s negligence, a plaintiff must show four elements: a duty, a
breach of that duty, causation[,] and damages.” Goldstein, Garber &
Salama, LLC v. J. B., 300 Ga. 840, 841 (1) (797 SE2d 87) (2017)
(citation and punctuation omitted). In other words, “before an action
for a tort will lie, the plaintiff must show he sustained injury or
damage as a result of the negligent act or omission to act in some
duty owed to him.” Whitehead v. Cuffie, 185 Ga. App. 351, 353 (2)
(364 SE2d 87) (1987); see also OCGA § 51-1-6 (“When the law
requires a person to perform an act for the benefit of another or to
refrain from doing an act which may injure another, although no
cause of action is given in express terms, the injured party may
recover for the breach of such legal duty if he suffers damage
thereby.” (emphasis added)); OCGA § 51-1-8 (“The violation of a 6 private duty, accompanied by damage, shall give a right of action.”
(emphasis added)); OCGA § 51-12-4 (“Damages are given as
compensation for injury; generally, such compensation is the
measure of damages where an injury is of a character capable of
being estimated in money.”).
[A] wrongdoer is not responsible for a consequence which is merely possible, according to occasional experience, but only for a consequence which is probable, according to ordinary and usual experience. . . . A fear of future damages is too speculative to form the basis for recovery.
Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 572 (4) (687
SE2d 842) (2009) (citation and punctuation omitted), disapproved of
on other grounds by Cumberland Contractors, Inc. v. State Bank &
Trust Co., 327 Ga. App. 121, 125 (2) n.4 (755 SE2d 511) (2014); see
also OCGA § 51-12-8 (“If the damage incurred by the plaintiff is only
the imaginary or possible result of a tortious act or if other and
contingent circumstances preponderate in causing the injury, such
damage is too remote to be the basis of recovery against the
wrongdoer.”).
Concluding that the plaintiffs had not sufficiently pleaded
7 injury here, the Court of Appeals relied on two of its opinions
addressing the exposure of sensitive personal information, Finnerty
and Rite Aid of Georgia v. Peacock, 315 Ga. App. 573 (726 SE2d 577)
(2012). In Finnerty, the matter came before the Court of Appeals on
the grant of summary judgment against a civil case defendant who
complained that the plaintiff bank had included his social security
number in an exhibit to the civil complaint. 301 Ga. App. at 569. As
one of several alternative bases for affirming the summary judgment
order, the Court of Appeals concluded that the defendant’s state law
counterclaims alleging that the bank’s action caused him injuries
were “wholly speculative.” Id. at 572 (4). The court noted that the
defendant had “failed to demonstrate that the Bank’s purported
unlawful disclosure made it ‘probable’ that he would suffer any
identity theft or that any specific persons actually have accessed his
confidential personal information as a result of the purported
unlawful disclosure.” Id. And in Rite Aid, the Court of Appeals
reversed a grant of class certification in a case arising from the
defendant pharmacy’s sale of its customers’ medication information
8 to another pharmacy, concluding the trial court erred in finding that
the named plaintiff and the proposed class of customers shared
common questions of law and fact and that the named plaintiff was
a sufficiently typical class representative. In particular, the Court of
Appeals noted that the named plaintiff could only speculate that a
criminal might associate with an employee of the new pharmacy who
had access to his prescription information. 315 Ga. App. at 576-577
(1) (a) (i).
The Court of Appeals in this case also relied on its prior opinion
in Boyd v. Orkin Exterminating Co., 191 Ga. App. 38 (381 SE2d 295)
(1989), overruled on other grounds by Hanna v. McWilliams, 213 Ga.
App. 648, 651 (2) (b) (446 SE2d 741) (1994), in which the Court of
Appeals affirmed a grant of partial summary judgment to the
defendant pest control company on the plaintiffs’ suit alleging that
the negligent application of pesticide in their home subjected their
children to an increased risk of cancer. In particular, the Boyd court
rejected the notion that the plaintiffs could recover for an alleged
increased risk of cancer as a result of the pest treatments, because,
9 although the plaintiffs produced testimony that their children would
require monitoring in the future to determine whether they
developed health problems due to their exposure, they had fallen
“far short” of establishing to a “reasonable medical certainty” that
such consequences would occur. 191 Ga. App. at 40-41 (2) (citation
and punctuation omitted). Although the plaintiffs in Boyd pointed
to the presence of elevated levels of a certain metabolite in the
children’s bloodstream, the record in that case provided no
“indication that the presence of these metabolites had caused or
would eventually cause actual disease, pain, or impairment of some
kind[.]” Id. at 40 (1).
The Court of Appeals here relied on Finnerty and Rite Aid to
conclude that “the fact of compromised data is not a compensable
injury by itself in the absence of some loss or damage flowing to the
plaintiff’s legally protected interest as a result of the alleged breach
of the legal duty[,]” and therefore the plaintiffs here do not allege a
legally cognizable injury. Collins, 347 Ga. App. at 15-16 (2) (citation
and punctuation omitted). And the court said that Boyd was a
10 “fitting analogue” to this case, given that in both this case and Boyd,
“the defendant’s alleged negligence exposed Plaintiffs to a risk of
harm which may or may not occur.” Id. at 16 (2).2 But there are two
fundamental differences between those cases and this one.
(a) The key Georgia decisions relied on by the Court of Appeals were not issued in the context of a motion to dismiss.
First, neither Finnerty, nor Rite Aid, nor Boyd was decided in
the context of a motion to dismiss. Finnerty and Boyd were summary
judgment cases, and Rite Aid involved a question of class
certification. To avoid dismissal on summary judgment, a plaintiff
must present evidence that raises a genuine issue of material fact.
See Nguyen v. Southwestern Emergency Physicians, P.C., 298 Ga.
75, 82 (3) (779 SE2d 334) (2015). And to prevail on a request for class
2 The Court of Appeals also cited two other cases we need not address at
length. First, it cited an unpublished Eleventh Circuit opinion surmising that Boyd “suggests that Georgia would not recognize” a claim for “recovery of medical monitoring costs in the absence of a current physical injury.” Parker v. Brush Wellman, Inc., 230 Fed. Appx. 878, 883 (III) (A) (11th Cir. 2007). That type of claim is not before us, and we express no opinion on the viability of such a claim. And second, it cited its own decision in Crawford Long Mem. Hosp. v. Hardeman, 84 Ga. App. 306 (66 SE2d 67) (1951). But that summary opinion cited no authority for its conclusory analysis, and had never been cited until the decision below. We decline to extend that decision beyond its facts. 11 certification, a plaintiff must show with evidence that the
requirements for certification are satisfied. See Georgia-Pacific
Consumer Products v. Ratner, 295 Ga. 524, 526 (1) (762 SE2d 419)
(2014). Therefore, it was not enough for the claimants in Finnerty
and Rite Aid merely to allege that identity theft was a possible, or
even likely, result of the opposing party’s actions. And it was not
enough for the plaintiffs in Boyd merely to allege that it was
possible, or even likely, that their children would develop cancer as
a result of the pesticide application. Given the stages in which those
cases presented themselves to the Court of Appeals, evidence beyond
mere allegations was required in order for the claimants to prevail.
Not so here. This case comes before us as an appeal from the
grant of a motion to dismiss for failure to state a claim under OCGA
§ 9-11-12 (b) (6). Such a motion is properly granted when the
plaintiff “would not be entitled to relief under any state of provable
facts asserted in support” of the allegations in the complaint and
“could not possibly introduce evidence within the framework of the
complaint sufficient to warrant a grant of the relief sought.” Austin
12 v. Clark, 294 Ga. 773, 774-775 (755 SE2d 796) (2014) (citation and
punctuation omitted). In deciding such a motion, any doubts
regarding the complaint must be construed in favor of the plaintiff.
Id. at 775.3
Here, the plaintiffs allege that criminals are now able to
assume their identities fraudulently and that the risk of such
identity theft is “imminent and substantial.” This amounts to a
factual allegation about the likelihood that any given class member
will have her identity stolen as a result of the data breach. As this
3 We note, as did then-Presiding Judge McFadden, that the Clinic’s motion also sought dismissal for lack of subject matter jurisdiction under OCGA § 9-11-12 (b) (1), on the basis that the plaintiffs lacked standing to bring any claim against it, and the trial court’s order did not specify under which basis it granted the Clinic’s motion. See Collins, 347 Ga. App. at 23 (1) n.11 (McFadden, P. J., concurring in part and dissenting in part). A motion to dismiss for lack of subject matter jurisdiction may entail a “factual challenge” that requires consideration of evidence beyond the face of the complaint. See Douglas County v. Hamilton State Bank, 340 Ga. App. 801, 801 (798 SE2d 509) (2017). Although the Clinic’s motion included a link to a news article about the data breach, no evidence was introduced at the trial court’s hearing on the motion. Of course, a court cannot skip past a jurisdictional issue to resolve simpler merits questions, but has the duty to “raise the question of jurisdiction on its own motion whenever there may be any doubt as to its existence.” Scroggins v. Edmondson, 250 Ga. 430, 430 (1) (297 SE2d 469) (1982). But we conclude that the allegations that we determine are enough here to plead a legally cognizable injury are also sufficient in this procedural posture to satisfy the injury-in-fact element of standing. 13 case comes before us on a motion to dismiss, we must accept this
factual allegation as true.
(b) The Court of Appeals’s prior cases involved a sort of exposure of data fundamentally different than the actual data theft in this case.
In addition to the differences in procedural posture, the facts
of Finnerty and Rite Aid put them in a category different from that
of this case. In neither Finnerty nor Rite Aid was there any reason
to believe that the data in question had in fact fallen into a criminal’s
hands; here, plaintiffs allege that their data was stolen by a criminal
whose alleged purpose was to sell the data to other criminals. To
conclude that the claimants in Finnerty and Rite Aid would likely
suffer identity theft as a result of the opposing parties’ actions would
have required a long series of speculative inferences, including that
someone with malicious intent would obtain the data in the first
place, that this person would attempt to use the data to steal the
claimant’s identity or make the data available to someone who
would attempt to do so, and that the would-be identity thief would
succeed in fraudulent usage of the claimant’s identity. See also
14 McLoughlin v. People’s United Bank, Inc., 2009 WL 2843269, at *7-
*8 (Case No. 3:08-cv-00944 (VLB), D. Conn., decided Aug. 31, 2009)
(where box containing backup tapes of electronic banking data was
lost or stolen from truck with broken lock — with no indication that
box was stolen for the data it contained — no injury under
Connecticut tort law, as tapes “could have been inadvertently
discarded or destroyed,” or “collecting dust in some forgotten
warehouse,” and it “is only through speculation that one concludes
that they are in possession of an individual who is driven to
maliciously mine the tapes for the personal data that they contain”).
Those cases are far different from this one.
Here, the plaintiffs alleged that (1) a thief stole a large amount
of personal data by hacking into a business’s computer databases
and demanded a ransom for the data’s return, (2) the thief offered
at least some of the data for sale, and (3) all class members now face
the “imminent and substantial risk” of identity theft given criminals’
ability to use the stolen data to assume the class members’ identities
and fraudulently obtain credit cards, issue fraudulent checks, file
15 tax refund returns, liquidate bank accounts, and open new accounts
in their names. Assuming the truth of these allegations, as we must
at this stage, we must presume that a criminal actor has maliciously
accessed the plaintiffs’ data and has at least attempted to sell at
least some of the data to other wrongdoers. Moreover, an important
part of the value of that data to anyone who would buy it in that
fashion is its utility in committing identity theft. See Remijas v.
Neiman Marcus Group, LLC, 794 F3d 688, 693 (7th Cir. 2015) (“[I]t
is plausible to infer that the plaintiffs have shown a substantial risk
of harm from the . . . data breach. Why else would hackers break
into a store’s database and steal consumers’ private information?
Presumably, the purpose of the hack is, sooner or later, to make
fraudulent charges or assume those consumers’ identities.”).4 Thus,
we are much further along in the chain of inferences that one must
4 Some of the federal authorities we cite in this opinion address whether
there is injury in fact for purposes of standing under Article III of the United States Constitution. That analysis may well be different than whether a legally cognizable injury has been pled as a matter of Georgia tort law, but the question here is similar enough that these federal cases are still useful.
16 draw in order to conclude that the plaintiffs here likely will suffer
identity theft.5
As explained above, showing injury as a result of the exposure
of data is easier in a case like this, where the data exposure occurs
as a result of an act by a criminal whose likely motivation is to sell
the data to others. But that easier showing of injury may well be
offset by a more difficult showing of breach of duty.6 Cf. Dept. of
Labor v. McConnell, 305 Ga. 812, 815-816 (3) (a) (828 SE2d 352)
(2019) (plaintiff failed to show that state agency owed him duty —
5 As the case proceeds beyond the motion to dismiss stage, the plaintiffs
will need to support their claim of injury with evidence about the extent to which they face an imminent and substantial risk of identity theft. Moreover, that risk may become either easier or more difficult to prove as time goes on and the plaintiffs do or do not experience actual identity theft. 6 Proving that the plaintiff’s injuries were proximately caused by the
breach may also be more difficult. See Goldstein, Garber & Salama, 300 Ga. at 842-843 (1) (trial court should have granted dental practice’s motion for directed verdict, as practice could not have foreseen that independent contractor nurse anesthetist would molest plaintiff patient, and thus proximate causation could not be shown); see also Resnick v. AvMed, Inc., 693 F3d 1317, 1330-1332 (11th Cir. 2012) (William Pryor, J., dissenting) (arguing that Florida law claims filed in federal court should have been dismissed under applicable federal pleading standard, as plaintiffs failed to plead facts rendering plausible their allegation that identity thieves obtained sensitive information as a result of theft of defendant’s computers, as opposed to from a third party).
17 under either OCGA § 10-1-393.8, OCGA § 10-1-910, or purported
common law duty “to all the world not to subject others to an
unreasonable risk of harm” — to protect his personal information
from inadvertent, negligent disclosure (citation and punctuation
omitted)). This case is at the motion to dismiss stage, and the Court
of Appeals’s decision did not turn on this issue, so we leave it for
another day.7
3. The plaintiffs’ negligence claim should not have been dismissed for failure to allege a cognizable injury.
Construing the plaintiffs’ allegations — particularly that
criminals are able to assume their identities fraudulently as a result
of the data breach and that the risk of such identity theft is
“imminent and substantial” — in the light most favorable to the
plaintiffs, we cannot say that the plaintiffs will not be able to
introduce sufficient evidence of injury within the framework of the
7 We recognize that this case involves a fairly new kind of injury. As a
court, we discharge our duty to apply traditional tort law to that injury. But that traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this, tradeoffs that may well be better resolved by the legislative process. 18 complaint. The plaintiffs allege that their personal data has been
stolen on a mass scale by a criminal, who in turn has offered it for
sale to other criminals. They also allege that, as a result, criminals
are able to assume their identities and fraudulently obtain credit
cards, issue fraudulent checks, file tax refund returns, liquidate
bank accounts, and open new accounts in their names. These
allegations raise more than a mere specter of harm. See Attias v.
CareFirst, Inc., 865 F3d 620, 629 (D.C. Cir. 2017) (“No long sequence
of uncertain contingencies involving multiple independent actors
has to occur before the plaintiffs in this case will suffer any harm; a
substantial risk of harm exists already, simply by virtue of the hack
and the nature of the data that the plaintiffs allege was taken.”).
These allegations are sufficient to survive a motion to dismiss the
plaintiffs’ negligence claims.
Our conclusion that dismissal of the negligence claims for lack
of injury is not warranted at this stage does not depend on the
plaintiffs’ allegations that the breach has caused them to spend
money attempting to mitigate the consequences of the breach by
19 avoiding actual identity theft. Although this may represent all or
some measure of the plaintiffs’ damages to date, their allegation
that the criminal theft of their personal data has left them at an
imminent and substantial risk of identity theft is sufficient at this
stage of the litigation.8
4. Our conclusion is consistent with recent federal decisions applying Georgia law.
Recent persuasive federal district court decisions applying
Georgia law in similar cases are consistent with our conclusion that
the plaintiffs have pleaded a legally cognizable injury here. In
litigation arising from hackers’ theft of the credit cardholder
information of Arby’s customers, a district court rejected the
defendant’s argument that the consumer plaintiffs’ negligence
8 Our conclusion also does not depend on the allegation that one named
plaintiff already has experienced identity theft. The Court of Appeals implicitly rejected a negligence claim based on this allegation, citing a failure to allege that the fraudulent charges were related to or caused by the data breach. Collins, 347 Ga. App. at 18 (2) (a) n.5. And although the plaintiffs sought review of this aspect of the Court of Appeals decision, we did not grant certiorari on issues of causation, and we express no opinion on those issues. We note, however, that the Clinic’s counsel acknowledged at oral argument before this Court that “a general allegation of causation is usually sufficient to carry the plaintiff’s burden” at the motion to dismiss stage. 20 claims should be dismissed because they had not suffered “any out-
of-pocket loss.” See In re Arby’s Restaurant Group Inc. Litigation,
2018 WL 2128441, at *11 (Civil Action No. 1:17-cv-0514-AT, N.D.
Ga., decided March 5, 2018). Although the plaintiffs had alleged
unauthorized charges on their credit card accounts — i.e., actual
identity theft — the court also pointed to alleged costs associated
with detection and prevention of identity theft in concluding that the
allegations of injury were sufficient. Id. (“While Arby’s is correct that
a plaintiff may not recover for injuries that are purely speculative,
such as the potential risk of future identity theft, Plaintiffs’
Complaint alleges costs associated with actual data theft.”
(emphasis added)).9
In another federal case over theft of consumers’ personal data
9 The district court noted that the plaintiffs’ alleged monetary losses meant that it did not need to consider whether the plaintiffs’ other alleged injuries — for loss of use of funds and accounts, loss of productivity, time and effort in remediating the breach, and inability to receive card rewards — were cognizable under Georgia law. In re Arby’s, 2018 WL 2128441, at *11 n.12. But, noting a lack of authority cited by the parties on that question, the court added its view that “a consumer’s time and effort to remediate the effects of a breach is not an abstract notion of actual damage and one that is susceptible to proof and valuation by a jury.” Id. We express no opinion on that issue. 21 by hackers, a district court also rejected the defendants’ argument
that the plaintiffs’ Georgia tort claims failed because they had not
pleaded a legally cognizable injury. See In re Equifax, Inc., Customer
Data Security Breach Litigation, 362 FSupp.3d 1295, 1314-1317
(N.D. Ga. 2019). Again, although the plaintiffs’ allegations in that
case included allegations that some members of the class had
suffered actual identity theft, the district court also pointed to the
allegations about a risk of identity theft, as well as measures to
mitigate that risk, in concluding that the allegation of injury was
sufficient:
Plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the Data Breach. These allegations of actual injury are sufficient to support a claim for relief.
Id. at 1315.10
10 The district court in Equifax attempted to distinguish the Court of
Appeals’s decision here on the basis that here “the plaintiffs alleged only an ‘increased risk of harm’ associated with taking precautionary measures,”
22 Although ultimately this Court is the final arbiter of the
meaning of Georgia law, the district courts’ conclusions in these
cases are somewhat more persuasive because, although those cases
also came before district courts on motions to dismiss, they were
subject to the more stringent pleading standards governing federal
cases. Compare Ashcroft v. Iqbal, 556 U. S. 662, 679 (129 SCt 1937,
173 LE2d 868) (2009) (under federal law, legal conclusions recited
in complaint “must be supported by factual allegations” that
“plausibly give rise to an entitlement to relief”), with Dillingham v.
Doctors Clinic, P.A., 236 Ga. 302, 303 (223 SE2d 625) (1976) (under
whereas the Equifax plaintiffs “alleged a substantial and imminent risk of impending identity fraud due to the vast amount of information that was obtained in the Data Breach.” 362 FSupp.3d at 1317 (citing Collins, 347 Ga. App. at 18). The district court noted that the Equifax plaintiffs also had “alleged that they have already incurred significant costs in response to the Data Breach” and many had “also already suffered forms of identity theft.” Id. This attempt to distinguish the Court of Appeals’s decision here is perplexing and ultimately unconvincing, however. Although the Court of Appeals used the phrase “increased risk of harm” to describe the plaintiffs’ allegations, Collins, 347 Ga. App. at 18 (2) (a), the plaintiffs here, like the Equifax plaintiffs, in fact have pleaded an “imminent and substantial risk” of identity theft. And the district court in Equifax specifically relied on the sort of allegations of credit monitoring made here in concluding that the plaintiffs had adequately pleaded both that they had suffered an injury, 362 FSupp.3d at 1315, and that the injury was proximately caused by the data breach, id. at 1318-1319. 23 Georgia law, complaint need only “give the defendant fair notice of
what the claim is and a general indication of the type of litigation
involved; the discovery process bears the burden of filling in
details”).
Because the Court of Appeals erred in concluding that the trial
court properly dismissed the plaintiffs’ negligence claims due to
failure to plead a legally cognizable injury, we reverse that holding.
Because that error may have affected the Court of Appeals’s other
holdings, we vacate those other holdings and remand the case.
Judgment reversed in part and vacated in part, and case remanded. All the Justices concur.
24 DECIDED DECEMBER 23, 2019. Certiorari to the Court of Appeals of Georgia — 347 Ga. App. 13. David A. Bain; Goldman Scarlato & Penny, Mark S. Goldman, Douglas J. Bench, for appellants. Chilivis, Cochran, Larkins & Bever, John D. Dalbey, for appellee.