FOURTH DIVISION
ELLINGTON, P. J.,
BRANCH and MERCIER, JJ.
NOTICE: Motions for reconsideration must be
physically received in our clerk’s office within ten
days of the date of decision to be deemed timely filed.
http://www.gaappeals.us/rules
June 16, 2016
In the Court of Appeals of Georgia
A16A0655. MCCONNELL et al. v. DEPARTMENT OF LABOR.
ELLINGTON, Presiding Judge.
Thomas McConnell filed this class action against the Georgia Department of
Labor, alleging several tort claims in connection with the Department’s disclosure of
personal information of McConnell and the proposed class members. After a hearing,
the Superior Court of Cobb County granted the Department’s motion to dismiss
McConnell’s complaint for failure to state a claim upon which relief can be granted.
McConnell appeals, and for the reasons explained below we affirm.
In ruling on a motion to dismiss, the trial court must accept as true all
well-pled material allegations in the complaint and must resolve any
doubts in favor of the plaintiff. As an appellate court, we review de novo
a trial court’s determination that a pleading fails to state a claim upon
which relief can be granted, construing the pleadings in the light most
� favorable to the plaintiff and with any doubts resolved in the plaintiff’s
favor.
(Citations, punctuation, and footnote omitted.) Wright v. Waterberg Big Game
Hunting Lodge Otjahewita (PTY), Ltd., 330 Ga. App. 508, 509 (767 SE2d 513)
(2014).
McConnell’s amended complaint contained the following material allegations.
In September 2012, the Department created a spreadsheet that listed the name, social
security number, home phone number, email address, and age of over 4,000
Georgians who had applied for unemployment benefits or other services administered
by the Department. McConnell was among the Georgians whose personal information
was included in the spreadsheet. A year later, a Department employee sent the
spreadsheet by email to approximately 1,000 of the Georgians on the list. To protect
himself from the resulting risk of identity theft, McConnell enrolled in the “Life
Lock” service, which currently costs $19 per month.
In January 2014, McConnell filed this class action, alleging claims, as
amended, for negligence in disclosing “personal information” as defined under
Georgia law, invasion of privacy (public disclosure of private facts), and breach of
fiduciary duty. Under each theory of recovery, McConnell seeks damages,
2
�specifically, the fee for membership in Life Lock and other out-of-pocket costs
related to credit monitoring and identity protection services, damages resulting from
the impact to his credit score from the closing of accounts, and compensation for the
continuing fear and anxiety of potential identity theft in the future. He does not allege
that an act of identity theft has yet occurred.1
The Department moved to dismiss McConnell’s complaint, arguing, inter alia,
pursuant to OCGA § 9-11-12 (b) (6), that the complaint failed to state a claim upon
which relief can be granted. The trial court granted the Department’s motion to
dismiss, finding that each count failed to state a claim upon which relief can be
granted.2
1. McConnell contends that the trial court erred in ruling that he failed to state
a claim for negligent disclosure of personal information, based, inter alia, on its
1
We note that these factual allegations are not disputed. The Department
admitted creating the spreadsheet and admitted that the spreadsheet included
McConnell’s name, social security number, home phone number, age, and email
address. It admitted that its employee, in attempting to send the spreadsheet to another
Department employee, inadvertently sent the spreadsheet via email to approximately
1000 recipients. In addition, the Department admitted that the information was
“personal information” under Georgia law. See Division 1, infra.
2
As to McConnell’s claim for negligence, the trial court also determined that
Georgia’s Tort Claims Act, OCGA § 50-21-20 et seq., does not waive the State’s
sovereign immunity for the types of “loss” McConnell claims.
3
�determination that as a matter of law “there is no legal duty [under Georgia law] to
safeguard personal information.”
In order to have a viable negligence action, a plaintiff must satisfy the
elements of the tort, namely, the existence of a duty on the part of the
defendant, a breach of that duty, causation of the alleged injury, and
damages resulting from the alleged breach of the duty. The legal duty is
the obligation to conform to a standard of conduct under the law for the
protection of others against unreasonable risks of harm. This legal
obligation to the complaining party must be found, the observance of
which would have averted or avoided the injury or damage; the
innocence of the plaintiff is immaterial to the existence of the legal duty
on the part of the defendant in that the plaintiff will not be entitled to
recover unless the defendant did something that it should not have done,
i.e., an action, or failed to do something that it should have done, i.e., an
omission, pursuant to the duty owed the plaintiff under the law. The
duty can arise either from a valid legislative enactment, that is, by
statute, or be imposed by a common law principle recognized in the
caselaw. The existence of a legal duty is a question of law for the court.
(Citations and punctuation omitted.) Rasnick v. Krishna Hospital, Inc., 289 Ga. 565,
566-567 (713 SE2d 835) (2011).3
3
See OCGA § 51-1-6 (“When the law requires a person to perform an act for
the benefit of another or to refrain from doing an act which may injure another,
although no cause of action is given in express terms, the injured party may recover
for the breach of such legal duty if he suffers damage thereby.”); OCGA § 51-1-8
4
� McConnell acknowledges that a duty to safeguard and protect the personal
information of another has not been expressly recognized in Georgia caselaw.4
(“Private duties may arise from statute or from relations created by contract, express
or implied. The violation of a private duty, accompanied by damage, shall give a right
of action.”); see also Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162, 164 (744 SE2d
686) (2013) (A legal duty that will support an actionable claim of negligence “cannot
rest solely upon OCGA § 51-1-6 because this statute sets forth merely general
principles of tort law. By its express terms, tort liability under OCGA § 51-1-6
mandates that the alleged tortfeasor[ ] ha[s] breached a legal duty to perform a
beneficial act or to refrain from doing an injurious act. So, the legal duty to support
[a plaintiff’s] negligence claim must be found in another legislative enactment”
beside OCGA § 51-1-6.) (citation omitted); City of Douglasville v. Queen, 270 Ga.
770, 771 (1) (514 SE2d 195) (1999) (The first element of a cause of action for
negligence is “[a] legal duty to conform to a standard of conduct raised by the law for
the protection of others against unreasonable risks of harm[.]”) (citation and
punctuation omitted); Diamond v. Dept. of Transp., 326 Ga. App. 189, 195 (2) (756
SE2d 277) (2014) (“[D]uty arises either from statute or from a common law principle
recognized in the case law.”) (citation omitted); Pulte Home v. Simerly, 322 Ga. App.
699, 705-706 (3) (746 SE2d 173) (2013) (“It is well-settled that Georgia law allows
the adoption of a statute or regulation as a standard of conduct so that its violation
becomes negligence per se. OCGA § 51-1-6 authorizes a plaintiff to recover damages
for the breach of a legal duty even when that duty arises from a statute that does not
provide a private cause of action. OCGA § 51-1-6 does not create a legal duty but
defines a tort and authorizes damages when a legal duty is breached.”) (citation and
punctuation omitted); Rockefeller v. Kaiser Foundation Health Plan of Georgia, 251
Ga. App. 699, 702-703 (554 SE2d 623) (2001) (To determine whether the violation
of a statute is negligence per se “it is necessary to examine the purposes of the
legislation and decide (1) whether the injured person falls within the class of persons
it was intended to protect and (2) whether the harm complained of was the harm it
was intended to guard against.”) (citations, punctuation, and footnote omitted).
4
In his appellate brief, McConnell avers that “data privacy and tort law related
to disclosure of personal identifying information (‘PII’) is a new and emerging area
5
�of law. It is rare to find a prior court opinion ‘on all fours’ with the facts of any given
information disclosure case. However, when one views the facts of this case in light
of general common-law principles of tort law, it is not difficult to see how and why
the law does and should recognize tort causes of action where a defendant discloses
PII without proper authorization or permission of the persons whose PII is disclosed.”
We note that a federal district court recently stated that “Georgia recognizes a general
duty to all the world not to subject them to an unreasonable risk of harm. . . . The
Court declines the Defendant’s invitation to hold that it had no legal duty to safeguard
information even though it had warnings that its data security was inadequate and
failed to heed them. To hold that no such duty existed would allow retailers to use
outdated security measures and turn a blind eye to the ever-increasing risk of cyber
attacks, leaving consumers with no recourse to recover damages even though the
retailer was in a superior position to safeguard the public from such a risk. . . .
Because this Court finds that a duty does exist, the [Defendant’s] motion to dismiss
[the Plaintiffs’ negligence claim] on the ground that there was no duty should also be
denied.” (Punctuation omitted.) In re: The Home Depot, Inc., Customer Data Security
Breach Litigation, Case No. 1:14-MD-2583-TWT, N. D. Ga., decided May 18, 2016
(2016 WL 2897520), citing Bradley Center Inc. v. Wessner, 250 Ga. 199 (296 SE2d
693) (1982). In Bradley Center Inc. v. Wessner, the Supreme Court of Georgia found
a legal duty “aris[ing] out of the general duty one owes to all the world not to subject
them to an unreasonable risk of harm. This has been expressed as follows: negligence
is conduct which falls below the standard established by law for the protection of
others against unreasonable risk of harm. Restatement, Torts, 2d, § 282.”
(Punctuation omitted.) 250 Ga. at 201. Despite the expansive language regarding a
general duty owed “to all the world” however, the issue presented in Bradley Center
Inc. v. Wessner was quite narrow: “whether an individual other than the patient can
recover for the alleged malpractice of the physician where that person is injured by
the criminal conduct of the patient and there is no privity between the injured party
and the physician.” 250 Ga. at 200. Noting that, “as a general rule, there is no duty
to control the conduct of third persons to prevent them from causing physical harm
to others[,]” the Supreme Court held that one of the exceptions to that rule applied
“because of the special relationship which existed between” the patient, who killed
his wife and her paramour while on a weekend pass from a psychiatric hospital, and
the physician, in a situation “where the course of treatment of a mental patient
6
�McConnell contends that such a common law duty exists nonetheless, citing two
statutory sources, OCGA §§ 10-1-393.8 and 10-1-910. In OCGA § § 10-1-910, the
General Assembly set out legislative findings underlying the Georgia Personal
Identity Protection Act, OCGA §§ 10-1-910 through 10-1-915 (the “GPIPA”),
enacted in 2005.5 In the GPIPA, the General Assembly found, inter alia, that “[t]he
privacy and financial security of individuals is increasingly at risk, due to the ever
more widespread collection of personal information by both the private and public
involve[d] an exercise of control over him by a physician who knows or should know
that the patient is likely to cause bodily harm to others.” (Citations and punctuation
omitted.) Id. at 201-202. See also City of Rome v. Jordan, 263 Ga. 26, 28-29 (1) (426
SE2d 861) (1993) (citing Bradley Center Inc. v. Wessner in analyzing whether there
can be liability based on a municipality’s duty to protect the general public from
criminal conduct and holding that, “where there is a special relationship between the
individual and the municipality which sets the individual apart from the general
public and engenders a special duty owed to that individual, the municipality may be
subject to liability for the nonfeasance of its police department”) (footnote omitted;
emphasis in original); City of Douglas v. Hudson, 315 Ga. App. 20, 22-23 (726 SE2d
496) (2012) (accord). There is no evidence of any such special relationship in this
case. As for the recent federal case, In re: The Home Depot, Inc., Customer Data
Security Breach Litigation, we are not bound to follow the district court’s
interpretation of Georgia law. Moreover, the district court found a duty to protect the
personal information of the defendant’s customers in the context of allegations that
the defendant failed to implement reasonable security measures to combat a
substantial data security risk of which it had received multiple warnings dating back
several years and even took affirmative steps to stop its employees from fixing known
security deficiencies. There are no such allegations in this case.
5
See Ga. Laws 2007, p. 450 (Act 241), § 1 (for name designation).
7
�sectors[,]” that ‘[i]dentity theft is one of the fastest growing crimes committed in this
state[,]” and that “[i]dentity theft is costly to the marketplace and to consumers[.]”
OCGA § 10-1-910 (1), (6). Because “[v]ictims of identity theft must act quickly to
minimize the damage[,] . . . expeditious notification of unauthorized acquisition and
possible misuse of a person’s personal information is imperative.” OCGA § 10-1-910
(7). In line with these findings, the GPIPA requires that affected persons be given
certain notice of a data breach.6 McConnell contends that in codifying these findings
the General Assembly demonstrated its intent to protect citizens from the adverse
effects of disclosure of personal information and created a general duty to preserve
and protect personal information. Notably, however, the GPIPA proscribes particular
conduct only after a (known or suspected) data security breach has occurred. Because
6
The GPIPA requires a government entity (as a “data collector”) “that
maintains computerized data that includes personal information of individuals” to
give prompt notice to affected Georgia residents of any security breach, that is,
acquisition of unencrypted personal information by any unauthorized person, and to
notify, without unreasonable delay, all consumer reporting agencies that compile and
maintain files on consumers on a nation-wide basis of the timing, distribution, and
content of the notices. OCGA §10-1-912. See OCGA § 10-1-911 (1) (definition of
a “breach of the security of the system”), (2) (definition of a “data collector”), (3)
(definition of “notice”). The GPIPA’s definition of “personal information” includes
an individual’s first and last name in combination with the person’s social security
number. OCGA § 10-1-911 (6). Another example is a person’s name in combination
with a credit or debit card number, if under the circumstances the number could be
used without a password or other information. Id.
8
�the GPIPA does not impose any standard of conduct in implementing and maintaining
data security practices, it can not serve as the source of a statutory duty to safeguard
personal information. Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162, 165 (744 SE2d
686) (2013).7
Similarly, we conclude that OCGA § 10-1-393.8, which is part of the Fair
Business Practices Act of 1975 (the “FBPA”) as amended,8 can not serve as the
source of such a statutory duty. That Code section provides that, except as otherwise
provided, “a person, firm, or corporation shall not: . . . [p]ublicly post or publicly
display in any manner an individual’s social security number. . . . ‘[P]ublicly post’ or
7
In Wells Fargo Bank, N.A. v. Jenkins, a bank customer based a claim of
negligence on the bank’s failure to protect his personal information and asserted that
the legal duty to support his negligence claim was found in the federal Gramm-Leach-
Bliley Act, the “GLBA,” 15 U. S. C. § 6801 et seq. The Supreme Court of Georgia
explained that, although the GLBA “expressly authorizes federal agencies . . . to
establish appropriate standards” for financial institutions “relating to administrative,
technical, and physical safeguards,” including safeguards “to protect against
unauthorized access to or use of [customers’] records or information which could
result in substantial harm or inconvenience to any customer,” see 15 U.S.C. § 6801
(a), such “an aspirational statement of Congressional policy” should not be “misread
. . . as establishing a legal duty, the alleged breach of which would give rise under the
law of this State to a cause of action for negligence against financial institutions.” 293
Ga. at 164-165.
8
OCGA § 10-1-390 (OCGA § 10-1-390 through 10-1-408 shall be known as
the “Fair Business Practices Act of 1975.”).
9
�‘publicly display’ means to intentionally communicate or otherwise make available
to the general public[.]” OCGA § 10-1-393.8. As the trial court noted in the appealed
order, the FBPA expressly prohibits intentionally communicating a person’s social
security number, while McConnell alleges that the Department negligently
disseminated his SSN by failing “to take the necessary precautions required to
safeguard and protect the personal information from unauthorized disclosure.”
Although the FBPA imposes a standard of conduct to refrain from intentionally and
publicly posting or displaying SSNs,9 a legal duty to refrain from doing something
intentionally is not equivalent to a duty to exercise a degree of care to avoid doing
something unintentionally, which falls within the ambit of negligence. The trial court
9
The trial court questioned whether the Department is “a person, firm, or
corporation” subject to OCGA § 10-1-393.8. But the Department does not contend
that it is not subject to the statute. See OCGA §§ 10-1-392 (24) (For purposes of the
FBPA, including OCGA § 10-1-393.8, “‘[p]erson’ means a natural person,
corporation, trust, partnership, incorporated or unincorporated association, or any
other legal entity.”); 34-2-1 (“There is created and established a separate and
independent administrative agency to be known as the Department of Labor.”);
Foskey v. Vidalia City School, 258 Ga. App. 298, 301 (b) (574 SE2d 367) (2002)
(“When a governmental entity or quasi-public entity has independent legal status as
a public corporation, agency, or authority, the legislative act creating such
governmental entity generally confers one or more of the power and authority to
contract, hold property, eminent domain, or sue and be sued. The fact that a
governmental entity may have sovereign immunity from a tort action does not prevent
such entity from being a separate legal entity or an entity that may sue and be sued.”)
(citations omitted).
10
�correctly concluded that McConnell’s complaint is premised on a duty of care to
safeguard personal information that has no source in Georgia statutory law or caselaw
and that his complaint therefore failed to state a claim of negligence. Diamond v.
Dept. of Transp., 326 Ga. App. 189, 195-196 (2) (756 SE2d 277) (2014).
Given the General Assembly’s stated concern about the cost of identity theft
to the marketplace and to consumers, as well as the fact that it created certain limited
duties with regard to personal information (e. g., the duty to notify affected persons
of data breaches and the duty not to intentionally communicate information such as
SSNs to the general public), it may seem surprising that our legislature has so far not
acted to establish a standard of conduct intended to protect the security of personal
information, as some other jurisdictions have done in connection with data protection
11
�and data breach notification laws.10 It is beyond the scope of judicial authority,
10
See e.g. Ark. Code Ann. 4-110-104 (b) (In the Arkansas Personal
Information Protection Act: “A person or business that acquires, owns, or licenses
personal information about an Arkansas resident shall implement and maintain
reasonable security procedures and practices appropriate to the nature of the
information to protect the personal information from unauthorized access,
destruction, use, modification, or disclosure.”); Cal. Civ. Code § 1798.81.5 (In the
California Database Breach Act: “It is the intent of the Legislature to ensure that
personal information about California residents is protected. . . . A business that
owns, licenses, or maintains personal information about a California resident shall
implement and maintain reasonable security procedures and practices appropriate to
the nature of the information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.”); Fla. Stat. Ann. § 501.171 (2)
(“Each covered entity, governmental entity, or third-party agent shall take reasonable
measures to protect and secure data in electronic form containing personal
information.”); Md. Code Ann., Commercial Law § 14-3503 (In the Maryland
Personal Information Protection Act: “To protect personal information from
unauthorized access, use, modification, or disclosure, a business that owns or licenses
personal information of an individual residing in the State shall implement and
maintain reasonable security procedures and practices that are appropriate to the
nature of the personal information owned or licensed and the nature and size of the
business and its operations.”); Md. Code Ann., State Government § 10-1304 (“To
protect personal information from unauthorized access, use, modification, or
disclosure, a [state government] unit that collects personal information of an
individual shall implement and maintain reasonable security procedures and practices
that are appropriate to the nature of the personal information collected and the nature
of the unit and its operations.”); Nev. Rev. Stat. Ann. § 603A.210 (1) (“A data
collector that maintains records which contain personal information of a resident of
this State shall implement and maintain reasonable security measures to protect those
records from unauthorized access, acquisition, destruction, use, modification or
disclosure.”); Rhode Island Gen. Laws Ann. § 11-49.3-2 (a) (In the Rhode Island
Identity Theft Protection Act of 2015: “A municipal agency, state agency or person
that stores, collects, processes, maintains, acquires, uses, owns or licenses personal
information about a Rhode Island resident shall implement and maintain a risk-based
12
�however, to move from aspirational statements of legislative policy to an affirmative
legislative enactment sufficient to create a legal duty.11
2. McConnell contends that the trial court erred in dismissing his breach of
fiduciary duty claim for failure to state a claim upon which relief can be granted
based on its determination that he had not shown that he had a particular relationship
of trust or mutual confidence with the Department. “Establishing a claim for breach
of fiduciary duty requires proof of three elements: (1) the existence of a fiduciary
information security program that contains reasonable security procedures and
practices appropriate to the size and scope of the organization; the nature of the
information; and the purpose for which the information was collected in order to
protect the personal information from unauthorized access, use, modification,
destruction, or disclosure and to preserve the confidentiality, integrity, and
availability of such information.”).
11
See Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. at 165 (The judiciary must
not misread “an aspirational statement of legislative policy” as an affirmative
legislative enactment that establishes a legal duty, as that would usurp legislative
authority.); Blotner v. Doreika, 285 Ga. 481, 481-482 (1) (678 SE2d 80) (2009)
(Where a particular common law duty was not recognized in Georgia, the common
law rule could be changed only by legislative act.); Perdue v. Baker, 277 Ga. 1, 14
(586 SE2d 606) (2003) (“The core legislative function is the establishment of public
policy through the enactment of laws.”) (footnote omitted); Commonwealth Inv. Co.
v. Frye, 219 Ga. 498, 499 (2) (134 SE2d 39) (1963) (Our appellate courts’ “authority
extends only to the correction of errors of law, and we have no legislative powers or
functions. [T]he legislature, and not the courts, is empowered by the Constitution to
decide public policy, and to implement that policy by enacting laws; and the courts
are bound to follow such laws if constitutional.”) (citations and punctuation omitted).
13
�duty; (2) breach of that duty; and (3) damage proximately caused by the breach.”
(Citation and punctuation omitted.) Wells Fargo Bank, N.A. v. Cook, 332 Ga. App.
834, 842 (1) (775 SE2d 199) (2015). “Any relationship shall be deemed confidential,
whether arising from nature, created by law, or resulting from contracts, where one
party is so situated as to exercise a controlling influence over the will, conduct, and
interest of another or where, from a similar relationship of mutual confidence, the law
requires the utmost good faith, such as the relationship between partners, principal
and agent, etc.” OCGA § 23-2-58.
McConnell argues that, because a fiduciary relationship, in addition to being
created by statute or contract, may also be created by the facts of a particular case, a
claim for breach of fiduciary duty is uniquely unsuitable for disposition via a motion
to dismiss, when the plaintiff has not been able to conduct discovery.12 In his
complaint, McConnell alleged that a fiduciary duty arose when the Department
required him to disclose confidential personal identification information in order to
obtain services or benefits from the Department and that he reasonably placed his
12
See Wright v. Apartment Investment & Mgmt. Co., 315 Ga. App. 587, 592 (2)
(726 SE2d 779) (2012) (“[S]ince a confidential relationship may be found whenever
one party is justified in reposing confidence in another, the existence of a confidential
or fiduciary relationship is generally a factual matter for the jury to resolve.”).
14
�trust and confidence in the Department to safeguard and protect his information from
public disclosure. He contends that the Department was “so situated as to exercise a
controlling influence over . . . [his] interest” because, unless he provided his personal
information to the Department, he would not receive unemployment benefits,
resulting in a fiduciary relationship.
In a recent case, a bank employee gave a customer’s information to the
employee’s husband, which allowed her husband to steal the customer’s identity.
Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012), reversed in
part on other grounds sub nom. Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162 (744
SE2d 686) (2013), and opinion vacated in part, 325 Ga. App. 376 (752 SE2d 633)
(2013). The customer sued the bank, asserting claims that the bank negligently failed
to protect his personal information, breached a duty of confidentiality, and invaded
his privacy. 314 Ga. App. at 257. The customer alleged that the bank “falsely
represented to its customers and members of the general public that it created and
implemented a system to adequately protect the private and personal identifying
information entrusted to it by its customers[.]” Id. Noting that the bank-customer
relationship generally is not a confidential relationship under Georgia law, this Court
held that the plaintiff had not pled “any special circumstances showing that he had a
15
�particular relationship of trust or mutual confidence with [the bank].” Id. at 262 (2).13
ln other words, the fact that the plaintiff gave the bank his personal information to
receive services, and the bank promised to protect this information, did not create a
confidential relationship under Georgia law. Likewise, in alleging in this case that he
gave the Department his personal information as a prerequisite to receiving services,
with the expectation that the Department would protect his information, McConnell
failed to assert in his complaint facts showing that the Department owed him a
confidential duty to protect that information. Id. at 261-262 (2).14
13
See Jenkins v. Wachovia Bank, N.A., 325 Ga. App. 376, 377 (752 SE2d 633)
(2013) (Because the Supreme Court in Wells Fargo Bank, N.A. v. Jenkins, 293 Ga.
162 (744 SE2d 686) (2013), did not address or consider Division 2 of our earlier
opinion in Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012),
and because that portion of our earlier opinion was consistent with the Supreme
Court’s opinion, that division remains binding.).
14
Cf. Daly v. Metropolitan Life Ins. Co., 4 Misc. 3d 887, 892 (782 NYS2d 530,
535) (N. Y. Sup. Ct. 2004) (When the plaintiff wished to purchase a life insurance
policy from the defendant, she was required to, and agreed to supply the company
with highly sensitive personal information including her full name, her social security
number, and her date of birth. The trial court concluded that, under New York law,
there was in this agreement an implied covenant of trust and confidence that the
defendant would safeguard and protect the plaintiff’s personal information, as
evidenced by the defendant’s privacy notice to its customers stating that they took
great care in safeguarding customers’ personal information. The court noted, “[w]hile
this concept has never before been applied to issues surrounding the protection of
confidential personal information, perhaps in the absence of appropriate legislative
action, it should.”).
16
� 3. McConnell contends that the trial court erred in ruling that he failed to state
a claim upon which relief can be granted for invasion of privacy, public disclosure
of private facts, based, inter alia, on its determination that the elements of that tort
cannot be satisfied unless the facts at issue are embarrassing private facts. McConnell
argues that
Georgia law recognizes a variety of information as private and not
subject to public disclosure, including certain financial and banking
records, medical records, certain police records (particularly records of
juvenile crime) and records related to status as a victim of a crime
(particularly sexual assault). The law recognizes a claim for
unauthorized disclosure of private information in these circumstances.
Under Georgia law,
there are four disparate torts under the common name of invasion of
privacy. These four torts may be described briefly as: (1) intrusion upon
the plaintiff’s seclusion or solitude, or into his private affairs; (2) public
disclosure of embarrassing private facts about the plaintiff; (3) publicity
which places the plaintiff in a false light in the public eye; and (4)
appropriation, for the defendant’s advantage, of the plaintiff’s name or
likeness.
17
�(Citation and punctuation omitted.) Bullard v. MRA Holding, LLC, 292 Ga. 748, 751-
752 (2) (740 SE2d 622) (2013). There are at least three necessary elements for
recovery for
[p]ublic disclosure of embarrassing private facts about the plaintiff[,] .
. . : (a) the disclosure of private facts must be a public disclosure; (b) the
facts disclosed to the public must be private, secluded or secret facts and
not public ones; (c) the matter made public must be offensive and
objectionable to a reasonable man of ordinary sensibilities under the
circumstances.
Cabaniss v. Hipsley, 114 Ga. App. 367, 372 (2) (151 SE2d 496) (1966). See also
Thomason v. Times-Journal, 190 Ga. App. 601, 604 (4) (379 SE2d 551) (1989)
(accord).
In Cumberland Contractors, Inc. v. State Bank & Trust Co., the plaintiffs
claimed that the defendant bank’s publication of their social security numbers could
result in identify theft, credit card fraud, and other offenses that might damage them
personally and financially. We held that such allegations
do not fall within the causes of action for invasion of privacy because
there is no allegation that [the defendant] (1) intruded into the
[plaintiffs’] seclusion, (2) disclosed embarrassing private facts, (3)
depicted the [plaintiffs] in a false light, or (4) appropriated the
[plaintiffs’] name or likeness for [the defendant’s] own advantage.
18
�Cumberland Contractors, Inc. v. State Bank & Trust Co., 327 Ga. App. 121, 126 (2)
(a) (755 SE2d 511) (2014). As a result, we held, the trial court properly dismissed the
plaintiffs’ claim for invasion of privacy for failure to state a claim for relief under
Georgia law. Id. The trial court in this case properly dismissed McConnell’s invasion
of privacy claim for the same reason. Id.; Jenkins v. Wachovia Bank, N.A., 314 Ga.
App. at 262-263 (3)15; Cabaniss v. Hipsley, 114 Ga. App. at 372 (2).
Judgment affirmed. Branch and Mercier, JJ., concur.
15
See Jenkins v. Wachovia Bank, N.A., 325 Ga. App. 376, 377 (752 SE2d 633)
(2013) (Because the Supreme Court in Wells Fargo Bank, N.A. v. Jenkins, 293 Ga.
162 (744 SE2d 686) (2013), did not address or consider Division 3 of our earlier
opinion in Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012),
and because that portion of our earlier opinion was consistent with the Supreme
Court’s opinion, that division remains binding.).
19
�