McCONNELL Et Al. v. DEPARTMENT OF LABOR
337 Ga. App. 457
Ga. Ct. App.2016Background
- In Sept. 2012 the Georgia Department of Labor created a spreadsheet listing names, SSNs, phone numbers, emails, and ages for >4,000 applicants; McConnell’s data was included.
- A year later a Department employee accidentally emailed the spreadsheet to ~1,000 recipients. The Department admitted creation and inadvertent dissemination.
- McConnell filed a class action alleging negligent disclosure of personal information, invasion of privacy (public disclosure of private facts), and breach of fiduciary duty; he sought costs of identity‑protection services and damages for fear of future identity theft. No identity theft had actually occurred.
- The Department moved to dismiss under OCGA § 9‑11‑12(b)(6); the superior court dismissed all counts for failure to state a claim and found sovereign‑immunity issues as to some asserted losses.
- On appeal, the Court of Appeals reviewed de novo, accepted well‑pleaded facts as true, and affirmed dismissal, reasoning Georgia law provides no general statutory or common‑law duty to safeguard personal information in these circumstances and the invasion‑of‑privacy tort requires disclosure of embarrassing private facts.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether Georgia recognizes a general negligence duty to safeguard personal information | McConnell: GPIPA and FBPA legislative findings show intent to protect PII and create a duty; common‑law principles support recognizing a duty for unauthorized disclosures | Dept. of Labor: No Georgia statute or common‑law precedent imposes a negligence duty to safeguard PII; GPIPA and FBPA do not create such a standard of conduct | No duty recognized here; GPIPA and FBPA do not supply a statutory duty to support negligence claim; dismissal affirmed |
| Whether a fiduciary/confidential relationship arose between McConnell and the Department | McConnell: Requiring PII to obtain benefits and his reliance created a fiduciary/confidential relationship | Dept.: No special factual circumstances alleged that would transform a regulatory/service relationship into a fiduciary one | No fiduciary duty pleaded; ordinary provision/collection of information does not create confidential relationship; dismissal affirmed |
| Whether the alleged disclosure states an invasion of privacy (public disclosure of private facts) | McConnell: Disclosure of SSN and other PII is private and poses risks (identity theft), satisfying the tort | Dept.: Publication of PII causing risk of future harm does not necessarily implicate the tort unless facts are embarrassing private facts | Dismissed: Georgia requires disclosure of private, embarrassing facts for this tort; mere risk of identity theft from SSN disclosure does not meet elements |
| Whether dismissal was inappropriate before discovery | McConnell: Existence of fiduciary/confidential relationship is often factual and unsuitable for resolution on a motion to dismiss | Dept.: Complaint lacked factual allegations to support fiduciary duty or negligence duty | Court held plaintiff’s allegations insufficient as a matter of law; dismissal appropriate despite limited discovery |
Key Cases Cited
- Rasnick v. Krishna Hosp., Inc., 289 Ga. 565 (Ga. 2011) (duty element of negligence is a question of law)
- Bradley Ctr., Inc. v. Wessner, 250 Ga. 199 (Ga. 1982) (recognizes a general duty not to subject others to unreasonable risk but limits recovery to circumstances creating a special relationship)
- Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162 (Ga. 2013) (legislative or federal aspirational statements do not by themselves create a state common‑law duty)
- Cumberland Contractors, Inc. v. State Bank & Trust Co., 327 Ga. App. 121 (Ga. Ct. App. 2014) (publication of SSNs and risk of identity theft does not satisfy invasion‑of‑privacy tort elements)
- Diamond v. Dept. of Transp., 326 Ga. App. 189 (Ga. Ct. App. 2014) (duty in negligence must arise from statute or established common‑law principle)