According to the highest court in the state, Georgia state government does not have an inherent obligation to protect citizens’ personal or sensitive data like social security numbers or status on the unemployment rolls. This decision was taken without consideration of damage to the plaintiff citizens whose data was negligently distributed.
On May 20, 2019, the Georgia Supreme Court issued a landscape-changing privacy decision which, in the absence of a special relationship, rids Georgia governmental entities of the general duty to safeguard personal information given to them. Now, entities must be careful when contracting with Georgia governmental entities if sharing personal information. Companies should also consider contractual protections addressing exchanges of personal information going to the government, and mandate that information is kept according to certain information security practices.
This case arose because the Georgia Department of Labor (the “Department”) created a spreadsheet containing personal information (some of which is considered “sensitive information”) and shared it without permission of the individuals whose information was in the spreadsheet. Specifically, the spreadsheet contained the name, social security number, home telephone number, e-mail address, and age of 4,757 individuals who applied for unemployment benefits and other services administered by the Department. The Department mistakenly sent that spreadsheet to 1,000 recipients without the individuals’ permission. The individuals sued the Department, alleging the Department was negligent and breached its fiduciary duty, among other privacy tort claims.
Plaintiffs argued that the Department owed a common law duty, a statutory duty, and a fiduciary duty. According to Plaintiffs, the Department owed a duty to all the individuals who applied for state benefits to safeguard and protect their personal information because, citing a Georgia Supreme Court case, there is “a general duty one owes to all the world not to subject them to an unreasonable risk of harm.” Bradley Ctr., Inc. v. Wessner, 250 Ga. 199, 201 (1982), disapproved of by Georgia Dep't of Labor v. McConnell, No. S18G1316, 2019 WL 2167323 (Ga. May 20, 2019). The Court, however, disagreed. Bradley Center did not create a common law duty to protect others from an unreasonable risk of harm
Breaching the Trustee Clause of the Georgia Constitution requires personal benefit from the public officer. Plaintiffs claimed that the Department’s employees, as public officers, breached their fiduciary duty to protect their personal information under the Trustee Clause of the Georgia Constitution. But the Trustee Clause only applies where a public officer has “definitely benefitted financially” as a result of performing official duties. Because the Plaintiffs did not allege that Department employees benefitted financially, the Trustee Clause did not apply in this case.
Plaintiffs also asserted fiduciary relationship existed between Plaintiffs and the Department. According to Plaintiffs, the transfer of confidential personal information for the purpose of obtaining services or benefits from the Department requires a reasonable placement of trust and confidence that there would not be an unauthorized disclosure. The Court found this claim meritless because Plaintiffs provided no evidence of a special relationship of trust or mutual confidence between the parties—providing personal information in order to receive benefits is common between citizens and government agencies, and therefore insufficient to show a fiduciary relationship.
Womble Bond Dickinson (US) LLP client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.