Security Experts:

Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information

Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the state of Georgia has ruled (May 20,  2019) that the state government does not have an inherent obligation to protect citizens' personal information that it stores.

The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.

Thomas McConnell, whose details appeared on the spreadsheet, filed a putative class action against the Department of Labor, alleging negligence, breach of fiduciary duty, and invasion of privacy. That case has progressed through the legal system to the Supreme Court, and has been dismissed (PDF).

While the Supreme Court has not ruled that there can never be an obligation to protect citizens' data, it has ruled that the obligation is not automatic -- and in the McConnell case, there were no separate requirements to provide the obligation.

McConnell had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was 'negligence' -- dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell's claim that Georgia recognizes a "common law duty 'to all the world not to subject others to an unreasonable risk of harm'" (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.

Furthermore, the existing identity theft statute does not explicitly require anything from data storer, while the statute restricting disclosure of social security numbers only applies to intentional disclosures and not accidental exposures as appeared here. 

The fiduciary duty claim was then dismissed because no public officer stood to gain from the incident, and there was no special relatoinship of confidence between McConnell and the Department.

Finally, the allegation of an invasion of privacy was rejected. The Supreme Court ruled that "the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department. This kind of information does not normally affect a person's reputation, which is the interest the tort of public disclosure of embarrassing private facts was meant to remedy."

On its own, that could be a contentious statement. Individuals could reasonably be expected to be embarassed if friends and neighbours knew that they had to apply for benefits. However, the judge continued, "And even if the information were of the kind that affected reputation, the complaint would still not state a claim here because the matters disclosed were not offensive and objectionable."

This is, Terence Jackson, CISO at Thycotic, told SecurityWeek, "a bad precedent. As local state and state governments have been increasingly targeted by ransomware attacks this year, this ruling doesn't seem to hold the agencies responsible for non-authorized information disclosure. With the treasure trove of PII, the Department of Labor absolutely has a duty to safeguard personal data with reasonable countermeasures."

Global law firm Womble Bond Dickinson LLP issued an alert to its U.S. clients, describing the ruling as a 'landscape-changing privacy decision' in ridding Georgia government entities of the general duty to safeguard personal information given to them. "Now," it wrote, "entities must be careful when contracting with Georgia governmental entities if sharing personal information. Companies should also consider contractual protections addressing exchanges of personal information going to the government, and mandate that information is kept according to certain information security practices."

Gavin Reinke, at the law firm Alston & Bird, also has concerns. "This decision," he blogged, "has potentially significant implications on plaintiffs' attempts to certify nationwide class actions against retailers who are victims of a data breach based on a negligence theory.  It illustrates that the law of negligence is not uniform across all jurisdictions, which will make attempts to certify a nationwide class in data breach cases difficult or impossible."

The ruling, if anything, strengthens the call for a federal privacy law. Just as GDPR was introduced in part to provide a level playing field for business across all the different EU nations, so the U.S, would benefit from a single privacy regulation across all states. "This ruling," said Thycotic's Jackson, "highlights the need for the U.S. to take a wholistic look into Data Privacy and Protection measures at a Federal level."

Venkat Ramasamy, COO of FileCloud, agrees: "Of course, public institutions should care and protect their stakeholders' data (I would say it is a reasonable expectation -- very similar to protecting the rights of personal property, freedom of speech and so on). I think it is high time to have federal privacy law which can be modeled after the California Consumer Protection Act (CCPA)."

Related: One Year on, EU's GDPR Sets Global Standard for Data Protection 

Related: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection 

Related: Marco Rubio Proposes New Federal Data Privacy Bill 

Related: With No Unifying U.S. Federal Privacy Law, States Are Implementing Their Own 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.