Collins v. Athens Orthopedic Clinic

Ray, Judge.

*642After an anonymous hacker known as the "Dark Overlord" stole the personally identifiable information ("PII") of approximately 200,000 current and former Athens Orthopedic Clinic ("AOC") patients, Christine Collins, Paulette Moreland, and Kathryn Strickland (collectively, the "Plaintiffs") filed a putative class action. The trial court granted AOC's motion to dismiss, and the Plaintiffs appealed, arguing that the trial court erred by implicitly finding that they failed to state a claim and lacked standing under Article III of the United States Constitution; and by relying on facts outside the four corners of the complaint. We affirm.

We review the grant of a motion to dismiss de novo, construing the factual allegations of the complaint in the light most favorable to the plaintiff. Radio Perry v. Cox Communications, Inc. , 323 Ga. App. 604, 605 (1), 746 S.E.2d 670 (2013). The complaint should be dismissed only if its allegations demonstrate with certainty that the claimants "would not be entitled to relief under any state of provable facts asserted in support thereof; and ... the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought." (Citation omitted.) Id.

Plaintiffs allege that the hack took place and was discovered by AOC in June 2016, and that AOC notified them of the breach in August 2016. The Dark Overlord apparently gained access to the PII database by using a third-party vendor's log-in credentials, and when AOC refused to pay a ransom for the information, the Dark Overlord offered some of it for sale on the "Dark Web,"1 and made some of it at least temporarily available on Pastebin, a data-storage website designed to facilitate the sharing of large amounts of data online.

Plaintiffs allege that the data breach exposes them to the threat of identity theft and other harm. All three Plaintiffs were notified that their information had been compromised, and spent time placing fraud or credit alerts on their credit reports. Only Collins had fraudulent charges made on her credit card and spent time getting them reversed.2

On January 20, 2017, the Plaintiffs filed a putative class action alleging violation of the Georgia Uniform Deceptive Trade Practices Act ( OCGA § 10-1-370, et seq. ), breach of implied contract, unjust enrichment, and negligence. Plaintiffs also seek a declaratory judgment and attorney fees. They seek reimbursement for costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts, as well as injunctive relief.

On June 26, 2017, the trial court granted AOC's motion to dismiss. The order states, in its entirety:

Before the Court is Defendant [AOC's] motion to dismiss pursuant to OCGA § 9-11-12, which motion having come on for a hearing June 14, 2017. Having considered the oral arguments of counsel, the briefs of Plaintiffs and the Defendant and all pleadings, but having considered no matters outside the pleadings, it is hereby ORDERED that the Motion to Dismiss is GRANTED.

1. Plaintiffs argue that the trial court erred in considering matters outside the complaint. They point, inter alia, to questions the trial court asked during the hearing on the motion to dismiss. Where matters outside the pleadings are presented, "a further determination has to be made as to whether the trial court excluded them. If the trial court excluded such matters, then the *643motion is for dismissal. If the trial court considered such matters, then the motion is for summary judgment." (Citations omitted.) Thompson v. Avion Systems, Inc ., 284 Ga. 15, 16-17, 663 S.E.2d 236 (2008). Here, the trial court's order expressly stated that it "considered no matters outside the pleadings[.]" We find no error.

2. Plaintiffs argue, generally, that the trial court erred in dismissing their complaint by implicitly finding that they failed to state a claim and lacked standing under Article III.

(a) Negligence claim . To state a cause of action for negligence in Georgia, the Plaintiffs must show

(1) A legal duty to conform to a standard of conduct raised by the law for the protection of others against unreasonable risks of harm; (2) a breach of this standard; (3) a legally attributable causal connection between the conduct and the resulting injury; and, (4) some loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty ... It is well-established Georgia law that before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.

(Citations and punctuation omitted) Whitehead v. Cuffie , 185 Ga. App. 351, 352-353 (2), 364 S.E.2d 87 (1987). The complaint alleges that "[a]s a direct and proximate result of [AOC's] negligence, Plaintiffs and other Class Members have suffered, or will suffer, damages, including the cost of identity theft protection and/or credit monitoring services and the costs associated with placing and maintaining a credit freeze on their accounts over the course of a lifetime."

While we never have addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage" pursuant to Whitehead , supra, some Georgia cases offer guidance.

In Finnerty v. State Bank and Trust Co. , 301 Ga. App. 569, 687 S.E.2d 842 (2009), disapproved on other grounds by Cumberland Contractors, Inc. v. State Bank and Trust Co. , 327 Ga. App. 121, 125 (2), n. 4, 755 S.E.2d 511 (2014), Finnerty, a signatory on a promissory note, counterclaimed against a bank suing him for default. He alleged invasion of privacy and negligence because the bank disclosed his Social Security number in the complaint. Id. at 569, 687 S.E.2d 842. Finnerty argued that he suffered " 'an increased risk of identity theft' and that 'non-authorized third parties have access to the otherwise confidential personal information[.]' " Id. at 572 (4), 687 S.E.2d 842. We affirmed the trial court's grant of summary judgment to the bank, finding that "[a] fear of future damages is too speculative to form the basis for recovery." (Footnote omitted.) Id. This Court found that Finnerty "failed to demonstrate that the [b]ank's purported unlawful disclosure made it 'probable' that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information[.]" Id.

The instant case differs in that Plaintiffs alleged that the "Dark Overlord" had accessed their PII, offered to sell it on the Dark Web, and placed it, at least temporarily, on Pastebin. However, as OCGA § 51-12-8 provides, "[i]f the damage incurred by the plaintiff is only the ... possible result of a tortious act ... such damage is too remote to be the basis of recovery against the wrongdoer." See generally Rite Aid of Ga. v. Peacock , 315 Ga. App. 573, 576 (1) (a) (i), 726 S.E.2d 577 (2012) (in appeal of case alleging, inter alia, breach of contract and unjust enrichment, this Court pretermitted whether the sale of the plaintiff's personal medication information was illegal and reversed class certification, finding a lack of commonality in that "although [plaintiff] felt that the sale of his prescription information to Walgreens was illegal, he could not say that he had suffered any actual financial or physical injury ....)" (emphasis in original).

While Finnerty and Rite Aid are factually and procedurally distinct from the present case in that they did not involve motions to dismiss and did not feature theft of PII, they nonetheless suggest that the fact of compromised data is not a compensable injury by itself in the absence of some "loss or damage flowing to the plaintiff's legally *644protected interest as a result of the alleged breach of the legal duty[.]" (Citation and punctuation omitted.) Whitehead , supra at 352 (2), 364 S.E.2d 87 .

Further, the instant factual scenario finds a fitting analogue in the context of other torts. In Boyd v. Orkin Exterminating Co. , 191 Ga. App. 38, 40-41 (1), (2), 381 S.E.2d 295 (1989), overruled on other grounds by Hanna v. McWilliams , 213 Ga. App. 648, 651 (2) (b), 446 S.E.2d 741 (1994), the plaintiffs sued Orkin for the negligent application of insecticide in their home. The trial court found that the plaintiffs' children's claims were barred to the extent that they sought damages for the "increased risk of cancer" to which they had been exposed. In affirming the grant of summary judgment, we explained:

[e]ven assuming arguendo that there was sufficient evidence before the jury to support a finding that Orkin had been negligent in its application of pesticides to the Boyds' home, there was no evidence that the appellants had sustained any specific injury ... The results of organ function tests conducted on the children were all within normal range .... [Further,] [w ]e reject the appellants' contention that the jury could have assessed damages against Orkin based on expert testimony that the presence of elevated levels of the heptachlor metabolite in the children's blood itself constituted "injury." Absent any indication that the presence of these metabolites had caused or would eventually cause actual disease, pain, or impairment of some kind , this testimony must be considered insufficient to support an award of damages in any amount.

(Punctuation omitted; emphasis supplied.) Id. at 40 (1), 381 S.E.2d 295. In both Boyd and the case before us, the defendant's alleged negligence exposed the Plaintiffs to a risk of harm which may or may not occur, be it disease in Boyd or identity theft in the instant action. What is crucial to our analysis is whether the data theft, as Boyd provides, "had caused or would eventually cause" injury.3 With regard to the increased risk of harm, we found that the trial court did not err in granting partial summary judgment to Orkin:

on the issue of the appellants' right to recover for the alleged "increased risk of cancer" to which the children had been exposed as a result of the termite treatments. In those jurisdictions which have allowed recovery for an enhanced future risk of developing a new complication, the claimant has been required to establish a "reasonable medical certainty" that such consequences will occur ... The evidence present in this case falls far short of that standard. The appellants merely produced medical testimony that the children will require monitoring in the future to determine whether they developed health problems due to their exposure to the chemicals.

(Emphasis supplied.) Boyd , supra at 40-41 (2), 381 S.E.2d 295. See also Crawford W. Long Memorial Hosp. v. Hardeman , 84 Ga. App. 306, 306 (2), 66 S.E.2d 67 (1951) (in negligence action, plaintiff's allegations regarding future medical expenses likely to be incurred by his wife were too speculative, absent itemization and substantiating facts). Compare In Re Arby's Restaurant Group Inc. Litig. , 1:17-mi-55555-AT at 27, 2018 WL 2128441 (N.D. Ga. 2018) (finding that a complaint survived a motion to dismiss where, although "a plaintiff may not recover for injuries that are purely speculative, such as the potential risk of future identity theft , Plaintiffs' Complaint alleges costs associated with actual data theft ") (Footnote omitted; emphasis supplied.) Id. See generally Resnick v. AvMed, Inc ., 693 F.3d 1317, 1321-1324 (I)-(II), (V) (A) (11th Cir. 2012) (finding, pursuant to Florida law, that plaintiffs successfully stated a claim for, inter alia, negligence and breach of contract following the theft of company laptops containing their personal information, where they alleged "financial injury" as victims of identity theft and showed that, variously, third parties had opened bank accounts, changed a home address *645with the United States Postal Service, and activated credit cards, made purchases in one plaintiff's name, and opened and overdrawn an E*Trade account in another plaintiff's name).4

Again, the Plaintiffs allege that their information has been compromised and that they have spent time placing fraud or credit alerts on their accounts and "anticipate" spending more time on these activities.5 Plaintiffs claim damages, specifying only the cost of identity theft protection, credit monitoring, and credit freezes to be maintained "over the course of a lifetime." While credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the Plaintiffs seek only to recover for an increased risk of harm. See generally Parker v. Wellman , 230 Fed. Appx. 878, 883 (III) (A) (11th Cir. 2007) ("Plaintiffs have failed to point us to any Georgia authority that allows recovery of medical monitoring costs in the absence of a current physical injury, and Boyd [, supra] suggests that Georgia would not recognize such a claim") (citation and footnote omitted). We find that, as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit monitoring and identity theft protection and their associated costs, which are designed to ward off exposure to future, speculative harm, are insufficient to state a cognizable claim under Georgia law. See Common Cause/Georgia v. Campbell , 268 Ga. App. 599, 600, 602 (2), 602 S.E.2d 333 (2004) (where defendant argued that plaintiff lacked standing and failed to state a claim, this Court upheld motion to dismiss because relief sought was not legally cognizable).

(b) Breach of implied contract claim . Plaintiffs also argue that the trial court erred in dismissing their claim for breach of implied contract, arguing that they provided their PII to AOC as a required part of receiving care from AOC, and that, in return, AOC promised to safeguard their PII and timely notify them if it was compromised.6

For the reasons outlined in Division (1) (a), in that the Plaintiffs have not alleged a legally cognizable claim, their claim for breach of implied contract also must fail. "The elements for a breach of contract claim in Georgia are the (1) breach and the (2) resultant damages (3) to the party who has the right to complain about the contract being broken." (Citation and punctuation omitted.) Roberts v. JP Morgan Chase Bank, Nat. Assoc. , 342 Ga. App. 73, 76 (1), 802 S.E.2d 880 (2017). As outlined above, the harms alleged in the complaint are too speculative under our law to constitute "damages" and the Plaintiffs seek a prophylactic recovery, for which our law does not provide.

Plaintiffs argue that costs such as identity theft protection, credit monitoring, and costs associated with a credit freeze are "classic measures of consequential damages" because they are incurred to mitigate "foreseeable" damages. However, mitigation damages lessen the severity of an injury that already has taken place; if no injury occurred, there is no legally cognizable harm to mitigate. See OCGA § 13-6-5 ("[w]here by a breach of contract a party is injured , he is bound to lessen the damages as far as is practicable ...") (emphasis supplied). See generally Lyon v. Schramm , 291 Ga. App. 48, 52, 661 S.E.2d 178 (2008) (absent injury, there is no duty to mitigate). Thus, since Plaintiffs here have not yet suffered a compensable injury, the costs they reference are prophylactic and may not be recovered as consequential damages.

(c) Declaratory judgment claim . Plaintiffs argue on appeal that the trial court *646erred in dismissing their declaratory judgment claim. In their complaint, Plaintiffs sought a declaration that AOC is not in compliance with its "existing obligations, and that [AOC] must implement specific additional, prudent security practices" and "provide credit monitoring and identity theft protection" to the Plaintiffs.

As an initial matter, Plaintiffs cite to no Georgia authority requiring AOC to provide them with credit monitoring or identity theft protection at this juncture, nor do we discern any. Further, although Plaintiffs contend that they "need court guidance to protect them from the uncertainty of AOC's inability to safeguard their PII[,]" the pleadings do not actually show any uncertainty which a declaration by a court would resolve.

[A] declaratory judgment may not be granted in the absence of a justiciable controversy. The plaintiff must show facts or circumstances whereby it is in a position of uncertainty or insecurity because of a dispute and of having to take some future action which is properly incident to its alleged right, and which future action without direction from the court might reasonably jeopardize its interest.

(Citation and punctuation omitted.) Effingham County Bd. of Com'rs v. Effingham County Indus. Dev. Auth. , 286 Ga. App. 748, 749, 650 S.E.2d 274 (2007). "[W]hen a party seeking declaratory judgment does not show it is in a position of uncertainty as to an alleged right, dismissal of the declaratory judgment action is proper." (Citations omitted.) SAWS at Seven Hills, LLC v. Forestar Realty, Inc. , 342 Ga. App. 780, 783 (1), 805 S.E.2d 270 (2017). Here, Plaintiffs already have taken measures to protect themselves from negligent data security by placing alerts on their credit reports. The Plaintiffs "need no direction" to do so. Effingham County Bd. of Com'rs , supra at 750, 650 S.E.2d 274 (declaratory judgment improper where declaration sought addressed things that already had occurred). A declaration would do nothing to clarify Plaintiffs' rights or their relationship with AOC, and dismissal was proper.7

(d) Claims under the Georgia Uniform Deceptive Trade Practices Act . Next, Plaintiffs argue that the trial court erred in dismissing their claims under the Georgia Uniform Deceptive Trade Practices Act ("the UDTPA"), OCGA § 10-1-370 et seq. We disagree.

A person likely to be damaged by a deceptive trade practice of another may be granted an injunction against it under the principles of equity and on terms that the court considers reasonable. Proof of monetary damage, loss of profits, or intent to deceive is not required.

OCGA § 10-1-373 (a). See generally OCGA § 10-1-372. Without clearly indicating what injunctive relief they seek, the Plaintiffs argue that AOC engaged in, inter alia, unfair and deceptive trade practices by failing to provide reasonable and adequate security for their data, that AOC knew or should have known its data security was inadequate and its omissions regarding its ability to provide such security "was an act likely to mislead" Plaintiffs, that the data breach left AOC's systems "even more vulnerable to future unauthorized action," and that Plaintiffs "will suffer damages in the future" including the cost of identity theft protection and credit monitoring.

The UDTPA offers only injunctive relief where the plaintiff has established a likelihood of damage. See generally Moore-Davis Motors, Inc. v. Joyner , 252 Ga. App. 617, 619 (3), 556 S.E.2d 137 (2001). The UDTPA does not address past harm. Catrett v. Landmark Dodge, Inc ., 253 Ga. App. 639, 644 (3), 560 S.E.2d 101 (2002). To state a claim and to establish standing under the UDTPA, Plaintiffs must allege that they are likely to be damaged in the future by an unfair trade practice. See OCGA § 10-1-373 (a). Friedlander v. HMS-Pep Products, Inc. , 226 Ga. App. 123, 124-125 (1) (a), 485 S.E.2d 240 (1997) (To establish standing under the UDTPA, plaintiff *647must show a likelihood of future damage). Accord Iler Group, Inc. v. Discrete Wireless, Inc ., 90 F.Supp.3d 1329, 1342 (III) (B) (1) (N. D. Ga. 2015) (discussing statutory standing under the UDTPA). See also Bolinger v. First Multiple Listing Svc., Inc. , 838 F.Supp.2d 1340, 1365 (V) (B) (N. D. Ga. 2012) (discussing statement of claim under UDTPA).

Plaintiffs do not allege any future, nonspeculative harm which an injunction would remedy.8 It is impossible to say whether the Dark Overlord or anyone else with access to the stolen data actually will use that data. To receive relief, "[a]t the very minimum, [Plaintiffs] must show some causal connection between something [AOC] has done and [their] own nonspeculative damages[.]" (Emphasis supplied.) Friedlander , supra at 125 (1) (a), 485 S.E.2d 240 (plaintiff failed to show likelihood of damage by competitors' weight loss products where plaintiff had not yet marketed his own weight loss product). The trial court did not err.

(e) Unjust enrichment claim . Plaintiffs argue that the trial court erred in dismissing their claim for unjust enrichment. The Plaintiffs' claim for unjust enrichment is predicated upon AOC's alleged failure to provide reasonable security for their data and its "fail[ure] to disclose" to Plaintiffs that "its computer systems and security practices were inadequate to protect their PII against theft."9

Unjust enrichment is an equitable concept and applies when as a matter of fact there is no legal contract, but when the party sought to be charged has been conferred a benefit by the party contending an unjust enrichment which the benefitted party equitably ought to return or compensate for. A claim for unjust enrichment is not a tort, but an alternative theory of recovery if a contract claim fails.

(Citations and punctuation omitted.) Wachovia Ins. Svcs., Inc. v. Fallon , 299 Ga. App. 440, 449 (6), 682 S.E.2d 657 (2009).10 Here, Plaintiffs "did not plead unjust enrichment as an alternate theory of recovery based on a failed contract. Thus, [their] claim for such relief cannot succeed." (Citation omitted.) Cash v. LG Electronics, Inc ., 342 Ga. App. 735, 742 (2), 804 S.E.2d 713 (2017).

(f) Attorney fees . Plaintiffs argue that the trial court erred in dismissing their claim for attorney fees under OCGA § 13-6-11. However, attorney fees and litigation expenses under OCGA § 13-6-11 are "ancillary and recoverable only where other elements of damage are recoverable on the underlying claim[s]." (Citation and punctuation omitted.) Sparra v. Deutsche Bank Nat. Trust Co. , 336 Ga. App. 418, 423 (1) (f), 785 S.E.2d 78 (2016). Because of our decision in Division (2) (a)-(e), this claim does not survive.

Judgment affirmed.

Rickman, J., concurs. McFadden, P. J., concurs in Division 1 and dissents in Division 2.*

* DIVISION 2 OF THIS OPINION IS PHYSICAL PRECEDENT ONLY. SEE COURT OF APPEALS RULE 33.2.

The "Dark Web" refers broadly to the part of the World Wide Web that is only accessible by special software, allowing users to remain anonymous. See "DarkWeb" Wikipedia, https://en.wikipedia.org/wiki/Dark_web (accessed May 7, 2018).

We note that Collins does not allege within the complaint that the fraudulent charges were related to the data breach.

See generally Pisciotta v. Old Nat. Bancorp. , 499 F.3d 629, 634 (II) (A), 638-640 (II) (B) (2), (3) (7th Cir. 2007) (finding data breach plaintiffs had Article III standing but failed to state a claim because, based on toxic tort and medical monitoring cases, Indiana law did not consider exposure to identity theft and costs of protective measures compensable injury).

Other than decisions of the United States Supreme Court, we are not, of course, bound by federal law, though it is instructive.

As previously set forth, although one Plaintiff alleges she also spent time getting fraudulent charges reversed, she does not allege that the charges were related to or caused by the data breach. See generally Resnick , supra at 1330-1332 (discussion, in dissent, of view that plaintiffs failed to state a claim where complaint did not allege plausible basis for finding that defendant caused plaintiffs to suffer identity theft).

AOC contends that there can be no implied contract because an express contract exists between AOC and its patients.

To the extent that the Plaintiffs argue that the "uncertainity" is whether AOC should protect their confidential financial information, such argument is a non-starter. As far as we can tell, that AOC must protect this information is not a contested point, only whether AOC failed to do so and whether the Plaintiffs have suffered any damages therefrom.

Indeed, given that the data has already been exposed to the Dark Overlord, we are unable to determine how the injunction would provide any benefit to the Plaintiffs, or even what it would enjoin.

In this claim, Plaintiffs again seek "free" credit monitoring and identity theft protection, and "restitution" of payments they may have made for such services. See Zampatti v. Tradebank Intl. Franchising Corp ., 235 Ga. App. 333, 340 (5), 508 S.E.2d 750 (1998) ("benefit is measured from the standpoint of the [defendant] upon whom such benefits were conferred ... and not upon the cost [to the plaintiff] to render the service of cost of the goods").

Plaintiffs' unjust enrichment claim is somewhat different in structure from that outlined by our statute. OCGA § 9-2-7 provides, "Ordinarily, when one renders a service or transfers property which is valuable to another, which the latter accepts, a promise is implied to pay the reasonable value thereof." Here, Plaintiffs essentially argue that they paid money for medical care, to which personal data security was an incidental, yet included, term of such contract.