Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the [U.S.] state of Georgia has ruled (May 20, 2019) that the state government does not have an inherent obligation to protect citizens’ personal information that it stores.
The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.
Thomas McConnell, whose details appeared on the spreadsheet, … had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was ‘negligence’ — dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell’s claim that Georgia recognizes a “common law duty ‘to all the world not to subject others to an unreasonable risk of harm'” (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.
Furthermore, the existing identity theft statute does not explicitly require anything from data storer, while the statute restricting disclosure of social security numbers only applies to intentional disclosures and not accidental exposures as appeared here.
The fiduciary duty claim was then dismissed because no public officer stood to gain from the incident, and there was no special relationship of confidence between McConnell and the Department.
Finally, the allegation of an invasion of privacy was rejected. The Supreme Court ruled that “the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department. This kind of information does not normally affect a person’s reputation, which is the interest the tort of public disclosure of embarrassing private facts was meant to remedy.”
(Via SecurityWeek RSS Feed)
Georgia is setting a bad precedent. Municipalities and government agencies are being targeted for exactly this type of data. The idea that Georgia law only offers redress for actions of a malicious insider while providing for a “whoopsie” defense is absurd.