Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the state of Georgia has ruled (May 20, 2019) that the state government does not have an inherent obligation to protect citizens' personal information that it stores.
The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.
Thomas McConnell, whose details appeared on the spreadsheet, filed a putative class action against the Department of Labor, alleging negligence, breach of fiduciary duty, and invasion of privacy. That case has progressed through the legal system to the Supreme Court, and has been dismissed (PDF).
While the Supreme Court has not ruled that there can never be an obligation to protect citizens' data, it has ruled that the obligation is not automatic -- and in the McConnell case, there were no separate requirements to provide the obligation.
McConnell had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was 'negligence' -- dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell's claim that Georgia recognizes a "common law duty 'to all the world not to subject others to an unreasonable risk of harm'" (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.
Furthermore, the existing identity theft statute does not explicitly require anything from data storer, w ..