                          FOURTH DIVISION
                          ELLINGTON, P. J.,
         MERCIER, J., and SENIOR APPELLATE JUDGE PHIPPS

                   NOTICE: Motions for reconsideration must be
                   physically received in our clerk’s office within ten
                   days of the date of decision to be deemed timely filed.
                               http://www.gaappeals.us/rules


                                                                      May 11, 2018




In the Court of Appeals of Georgia
 A16A0655. MCCONNELL et al. v. GEORGIA DEPARTMENT OF
     LABOR.

      ELLINGTON, Presiding Judge.

      Thomas McConnell filed this class action against the Georgia Department of

Labor, alleging several tort claims in connection with the Department’s disclosure of

personal information of McConnell and the proposed class members. After a hearing,

the Superior Court of Cobb County granted the Department’s motion to dismiss

McConnell’s complaint for failure to state a claim upon which relief can be granted.

McConnell appealed, and, in McConnell v. Ga. Dept. of Labor, 337 Ga. App. 457

(787 SE2d 794) (2016), we affirmed. The Supreme Court of Georgia granted a writ

of certiorari to consider, inter alia, whether this Court erred “in not addressing the

trial court’s holding that McConnell’s tort claims were barred by sovereign immunity,
which is a jurisdictional issue, before addressing the merits of those claims.”1 The

Supreme Court held that we did err in this manner, vacated our decision, and

remanded with direction that we “make the threshold determination of whether the

trial court erred in its holding that McConnell’s claims are barred by sovereign

immunity.” McConnell v. Ga. Dept. of Labor, _ Ga. _ (805 SE2d 79) (2017). For the

reasons explained below in Division 1, we conclude that the trial court did err in so

holding and reverse the judgment in relevant part. Because the trial court did not err

in dismissing McConnell’s complaint on the basis that it fails to state a claim upon

which relief can be granted, as explained below in Divisions 2 through 4, we affirm

the judgment in part in this regard.

      In his complaint, McConnell alleges that a Department employee, while acting

within the scope of his official duties or employment, sent an email to approximately

1,000 Georgians who had applied for unemployment benefits or other services

administered by the Department. The email included a spreadsheet that listed the


      1
         See Lathrop v. Deal, 301 Ga. 408, 408, 432 (III) (B) (801 SE2d 867) (2017)
(“Simply put, the constitutional doctrine of sovereign immunity forbids our courts to
entertain a lawsuit against the State without its consent. . . . Sovereign immunity . .
. – like various other rules of jurisdiction and justiciability – is concerned with the
extent to which a case properly may come before a court at all.”) (punctuation
omitted).

                                          2
name, social security number, home phone number, email address, and age of over

4,000 Georgians who had registered for Department services, including McConnell.2

McConnell alleges that the employee’s conduct constituted the torts of negligently

disclosing “personal information” as defined under Georgia law, breach of fiduciary

duty, and invasion of privacy (public disclosure of private facts). McConnell seeks

economic damages, specifically, out-of-pocket costs related to credit monitoring and

identity protection services and damages resulting from the adverse impact to his

credit score from the closing of accounts. In addition, he seeks damages for the “fear,

upset, anxiety and injury to peace and happiness related to the disclosure of [his]

personal identifying information, as the disclosure of personal identifying information

had provided all the raw material necessary to facilitate the theft of [his identity] and

unauthorized charges upon [his] credit or bank accounts.” He does not allege that an

act of identity theft has yet occurred.



      2
        We note that these factual allegations are not disputed. The Department
admitted creating the spreadsheet and admitted that the spreadsheet included
McConnell’s name, social security number, home phone number, age, and email
address. It admitted that its employee, in attempting to send the spreadsheet to another
Department employee, inadvertently sent the spreadsheet via email to approximately
1000 recipients. In addition, the Department admitted that the information was
“personal information” under Georgia law. See Division 2, infra.

                                           3
      1. McConnell contends that the trial court erred in holding that the state has not

waived its sovereign immunity pursuant to the Georgia Tort Claims Act, OCGA §§

50-21-20 through 50-21-37, for the type of losses that he alleges in his claims.3

      With regard to tort claims against the state, the General Assembly adopted the

Act for the express purpose of “balanc[ing] strict application of the doctrine of

sovereign immunity,” which, in its breadth,4 “may produce inherently unfair and

      3
         We note that the trial court placed its determination the state has not waived
sovereign immunity for the types of “loss” McConnell claims in the section of its
dismissal order that concerns McConnell’s claim for negligent disclosure of personal
information. Although the trial court did not incorporate its sovereign immunity
ruling into the sections of its order that concern McConnell’s claims for breach of
fiduciary duty and invasion of privacy, one can infer, as the Supreme Court did, that
the trial court also determined that sovereign immunity is not waived as to those
claims as well. See McConnell v. Ga. Dept. of Labor, _ Ga. _ (805 SE2d 79) (2017)
(“The Department filed a motion to dismiss McConnell’s claims, which the trial court
granted on two bases: (1) McConnell’s claims were barred by sovereign immunity
and (2) on the merits, each of McConnell’s contentions failed to state a claim upon
which relief could be granted.”). Accordingly, our consideration of sovereign
immunity is not limited to McConnell’s claim for negligent disclosure of personal
information.
      4
          The Georgia Constitution provides:

      Except as specifically provided in this Paragraph, sovereign immunity
      extends to the state and all of its departments and agencies. The
      sovereign immunity of the state and its departments and agencies can
      only be waived by an Act of the General Assembly which specifically
      provides that sovereign immunity is thereby waived and the extent of
      such waiver.

                                          4
inequitable results, against the need for limited exposure of the state treasury to tort

liability.” (Citation and punctuation omitted.) Bd. of Regents of Univ. Sys. of Ga. v.

Myers, 295 Ga. 843, 845 (764 SE2d 543) (2014).5 Under the Act, the state waives its

sovereign immunity with respect to actions brought in Georgia courts “for the torts

of state officers and employees while acting within the scope of their official duties

or employment and shall be liable for such torts in the same manner as a private

individual or entity would be liable under like circumstances[,]” subject to exceptions



Ga. Const. of 1983, Art. I, Sec. II, Par. IX (e).
      5
          OCGA § 50-21-21 (a) provides:

      The General Assembly recognizes the inherently unfair and inequitable
      results which occur in the strict application of the traditional doctrine of
      sovereign immunity. On the other hand, the General Assembly
      recognizes that, while private entrepreneurs voluntarily choose the ambit
      of their activity and can thereby exert some control over their exposure
      to liability, state government does not have the same flexibility. In
      acting for the public good and in responding to public need, state
      government must provide a broad range of services and perform a broad
      range of functions throughout the entire state, regardless of how much
      exposure to liability may be involved. The exposure of the state treasury
      to tort liability must therefore be limited. State government should not
      have the duty to do everything that might be done. Consequently, it is
      declared to be the public policy of this state that the state shall only be
      liable in tort actions within the limitations of this article and in
      accordance with the fair and uniform principles established in this
      article.

                                           5
and limitations set forth in the Act. OCGA § 50-21-23 (a). A “claim” under the Act

is defined as “any demand against the State of Georgia for money only on account of

loss caused by the tort of any state officer or employee committed while acting within

the scope of his or her official duties or employment.” OCGA § 50-21-22 (1). OCGA

§ 50-21-22 (3) provides: “‘Loss’ means personal injury; disease; death; damage to

tangible property, including lost wages and economic loss to the person who suffered

the injury, disease, or death; pain and suffering; mental anguish; and any other

element of actual damages recoverable in actions for negligence.”

      “Because sovereign immunity is not an affirmative defense, but rather a

privilege that is subject to waiver by the State, the party seeking to benefit from that

waiver has the burden of establishing the waiver of sovereign immunity.” (Citations

and footnote omitted.) Williams v. Ga. Dept. of Corrections, 338 Ga. App. 719, 720

(1) (791 SE2d 606) (2016). “We review de novo a trial court’s denial of a motion to

dismiss based on sovereign immunity grounds, which is a matter of law.” (Citation

and punctuation omitted.) Ga. Dept. of Transp. v. King, 341 Ga. App. 102, 103 (798

SE2d 492) (2017).

      (a) Economic damages/financial harm. With regard to McConnell’s alleged

economic damages, the Department argues that sovereign immunity is waived under

                                           6
the Act only for a “loss” as that term is defined in the Act and that McConnell has not

suffered such a loss. Specifically, the Department argues, based on the definition of

“loss” in OCGA § 50-21-22 (3), that the Act “expressly limits the recovery of

economic damages to a plaintiff who has also suffered a personal injury, disease,

death.” Because McConnell alleges that he suffered economic damages as a result of

the Department’s email disclosure, but does not allege that the email disclosure

“caused him to suffer a disease, death, or injury to his person[,]” the Department

contends, McConnell cannot recover economic losses under the Act.

      The Department’s strained reading of OCGA § 50-21-22 (3) cannot be

supported because the subsection, after giving specific examples of injuries that are

actionable, expansively adds “any other element of actual damages recoverable in

actions for negligence.” In Dept. of Transp. v. Montgomery Tank Lines, Inc., 276 Ga.

105 (575 SE2d 487) (2003), the Supreme Court of Georgia considered the effect of

that “broad last clause in § 50-21-22 (3)” and rejected the agency’s proposed narrow

reading. Id. at 107-108 (1). The Supreme Court found that, notwithstanding that the

losses specifically listed (personal injury; disease; death; damage to tangible property;

pain and suffering; and mental anguish) are all so-called “first-party losses,” the “term

of enlargement” (that is, the phrase “any other element of actual damages recoverable

                                           7
in actions for negligence”) is “specific and unambiguous and requires a broader

meaning than that attributed to it” by the agency. Id. at 107 (1). The Supreme Court

explained: “[c]learly, an action for contribution and indemnification is an action for

negligence, and the damages that the contribution plaintiffs seek to recover are

unquestionably an element of actual damages[.]” Id. at 107 (1). The Supreme Court

found that the concluding phrase of the “loss” definition means that sovereign

immunity is not waived only for a person who directly suffers the personal injury,

disease, death, or other loss but is broad enough to include claims for contribution

and indemnification. Id. at 108 (1). Furthermore, the Supreme Court concluded, the

fact that the waiver of sovereign immunity is subject to specific “exceptions” set forth

in OCGA § 50-21-24, and that contribution and indemnity actions are not listed as

exceptions, “further buttresses the conclusion that such actions against the State are

not categorically precluded by the [Act].” Id.

      Similarly, we conclude in this case that the catch-all phrase, “any other element

of actual damages recoverable in actions for negligence,” requires a broader meaning

than that attributed to it by the Department. See Dept. of Transp. v. Montgomery Tank

Lines, Inc., 276 Ga. at 107-108 (1). The General Assembly certainly could have

modified “any other element of actual damages recoverable in actions for negligence”

                                           8
with “sustained by a person who suffered injury, disease, or death” if it had intended

to limit the final phrase in this way.6 Based on the express terms of OCGA § 50-21-22

(3) and the cases cited herein, we conclude that losses under the Act may include

economic losses suffered by a plaintiff who has not also suffered a personal injury,

disease, or death.

      In a related vein, the Department contends that any time, effort, and money that

McConnell allegedly spent monitoring his credit is not an actual injury that is

recoverable in negligence cases. Acknowledging that Georgia courts have not

addressed whether obtaining credit monitoring services after the disclosure of

confidential information constitutes a cognizable injury, the Department contends that

courts in other jurisdictions have rejected such claims. In addition, the Department

contends that McConnell cannot recover for an increased risk of future identity theft

because such risk does not constitute an element of actual damages that is recoverable

under Georgia law.7 Because McConnell alleged damages resulting in part from the

      6
        Notably, in Dept. of Transp. v. Montgomery Tank Lines, Inc., the contribution
plaintiffs suffered only economic losses and, being corporate entities, could not have
suffered disease, death, or injury to their persons.
      7
        See Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 572 (4) (687 SE2d
842) (2009) (Where the plaintiff failed to demonstrate that a bank’s disclosure of his
social security number made it probable, as opposed to merely possible, that he would

                                          9
adverse impact to his credit score from the closing of accounts, we cannot say that he

seeks compensation only for credit-monitoring expenses or the risk of future

economic damages from identity theft. Whether McConnell can prove that he has

suffered financial harm as a result of the adverse impact to his credit score from the

closing of accounts is not a question to be resolved at this threshold. See Upper

Oconee Basin Water Auth. v. Jackson County, 305 Ga. App. 409, 412 (1) (699 SE2d

605) (2010) (“A motion to dismiss asserting sovereign immunity is based upon the

trial court’s lack of subject matter jurisdiction, rather than the merits of the plaintiff’s

claim.”) (citation and punctuation omitted); Dept. of Transp. v. Dupree, 256 Ga. App.

668, 671 (1) (570 SE2d 1) (2002) (accord).8




suffer any identity theft and failed to demonstrate that any specific persons actually
had accessed his confidential personal information, the bank was entitled to summary
judgment because a fear of future damages from identity theft is too speculative to
form the basis for recovery.), disapproved of on other grounds in Cumberland
Contractors, Inc. v. State Bank & Trust Co., 327 Ga. App. 121, n. 4 (2) (755 SE2d
511) (2014).
       8
        See also Ga. Dept. of Public Safety v. Johnson, 343 Ga. App. 22, 23-24 (806
SE2d 195) (2017) (Where subject matter jurisdiction is challenged on the basis of
sovereign immunity, the trial court considers evidence only to the extent factual
findings are necessary to decide the threshold issue of whether the defendant’s
entitlement to sovereign immunity deprives the court of subject matter jurisdiction.).

                                            10
      (b) Mental anguish. With regard to McConnell’s claims for damages for his

continuing fear and anxiety of potential identity theft in the future, the Department

invokes Georgia’s so-called “impact rule,” arguing that “[t]he ‘impact rule’ states that

‘[i]n a claim concerning negligent conduct, a recovery for emotional distress is

allowed only where there is some impact on the plaintiff, and that impact must be a

physical injury[,]’” quoting Ryckeley v. Callaway, 261 Ga. 828 (412 SE2d 826

(1992). To the extent the Department suggests that the impact rule applies to any

claim concerning negligent conduct, this is incorrect. To the contrary, the impact rule

applies specifically to claims for negligent infliction of emotional distress. See Coon

v. Medical Center, Inc., 300 Ga. 722, 734 (4) (797 SE2d 828) (2017); Bruscato v.

O’Brien, 307 Ga. App. 452, 457 (1) (705 SE2d 275) (2010), aff’d, 289 Ga. 739, 715

SE2d 120 (2011); Clarke v. Freeman, 302 Ga. App. 831, 836 (1) (692 SE2d 80)

(2010); Charles R. Adams, Ga. Law of Torts § 29:2 (b) (updated December 2017).

The Department has not shown that Georgia law requires proof that a plaintiff

suffered a physical impact and a physical injury in order to recover for the claims

McConnell alleges – negligent disclosure of personal information, invasion of

privacy, and breach of fiduciary duty – even where the alleged damages include

emotional harm.

                                          11
      Having found no merit in any of the Department’s arguments, as explained

above, we conclude that McConnell carried his burden of showing that the trial court

had subject matter jurisdiction over his claims for negligently disclosing personal

information, breach of fiduciary duty, and invasion of privacy, which are tort claims

that are not excepted from the waiver of sovereign immunity for tort claims pursuant

to the Act,9 and which are based on the conduct of state officers and employees while

acting within the scope of their official duties or employment. Accordingly, the trial

court erred in granting the Department’s motion to dismiss McConnell’s claims on

the basis of the bar of sovereign immunity. The judgment is therefore reversed in

relevant part. McCoy v. Ga. Dept. of Admin. Svcs., 326 Ga. App. 853, 858 (755 SE2d

362) (2014); Williamson v. Dept. of Human Resources, 258 Ga. App. 113, 116 (1)

(572 SE2d 678) (2002); McCrary Engineering Corp. v. City of Bowdon, 170 Ga. App.

462, 466 (1) (317 SE2d 308) (1984).




      9
        OCGA § 50-21-24 sets out a list of claims specifically excluded from the
general waiver of sovereign immunity for tort claims against the state, such as claims
for malicious prosecution, negligent highway design, and failure to provide fire
protection. The Department does not contend that McConnell’s claims fall within one
of the enumerated exceptions.

                                         12
      Because the threshold issue of sovereign immunity is decided in favor of the

trial court having had subject matter jurisdiction, we must again consider the merits

of McConnell’s claims.

      2. McConnell contends that the trial court erred in ruling that he failed to state

a claim for negligent disclosure of personal information, based, inter alia, on its

determination that as a matter of law “there is no legal duty [under Georgia law] to

safeguard personal information.”

      [A] motion to dismiss for failure to state a claim upon which relief may
      be granted should not be sustained unless (1) the allegations of the
      complaint disclose with certainty that the claimant would not be entitled
      to relief under any state of provable facts asserted in support thereof;
      and (2) the movant establishes that the claimant could not possibly
      introduce evidence within the framework of the complaint sufficient to
      warrant a grant of the relief sought. If, within the framework of the
      complaint, evidence may be introduced which will sustain a grant of the
      relief sought by the claimant, the complaint is sufficient and a motion to
      dismiss should be denied. In deciding a motion to dismiss, all pleadings
      are to be construed most favorably to the party who filed them, and all
      doubts regarding such pleadings must be resolved in the filing party’s
      favor. On appeal, a trial court’s ruling on a motion to dismiss for failure
      to state a claim for which relief may be granted is reviewed de novo.




                                          13
(Citation and punctuation omitted.) RES-GA McDonough, LLC v. Taylor English

Duma LLP, _ Ga. _ (Case No. S17A1125, decided October 30, 2017).

      In order to have a viable negligence action, a plaintiff must satisfy the
      elements of the tort, namely, the existence of a duty on the part of the
      defendant, a breach of that duty, causation of the alleged injury, and
      damages resulting from the alleged breach of the duty. The legal duty is
      the obligation to conform to a standard of conduct under the law for the
      protection of others against unreasonable risks of harm. This legal
      obligation to the complaining party must be found, the observance of
      which would have averted or avoided the injury or damage; the
      innocence of the plaintiff is immaterial to the existence of the legal duty
      on the part of the defendant in that the plaintiff will not be entitled to
      recover unless the defendant did something that it should not have done,
      i.e., an action, or failed to do something that it should have done, i.e., an
      omission, pursuant to the duty owed the plaintiff under the law. The
      duty can arise either from a valid legislative enactment, that is, by
      statute, or be imposed by a common law principle recognized in the
      caselaw. The existence of a legal duty is a question of law for the court.


(Citations and punctuation omitted.) Rasnick v. Krishna Hospital, Inc., 289 Ga. 565,

566-567 (713 SE2d 835) (2011).10


      10
         See OCGA § 51-1-6 (“When the law requires a person to perform an act for
the benefit of another or to refrain from doing an act which may injure another,
although no cause of action is given in express terms, the injured party may recover
for the breach of such legal duty if he suffers damage thereby.”); OCGA § 51-1-8

                                           14
      McConnell contends that a common law duty exists to safeguard and protect

the personal information of another and argues that OCGA §§ 10-1-393.8 and

10-1-910 help establish the duty of care to be exercised by those who collect or hold



(“Private duties may arise from statute or from relations created by contract, express
or implied. The violation of a private duty, accompanied by damage, shall give a right
of action.”); see also Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162, 164 (744 SE2d
686) (2013) (A legal duty that will support an actionable claim of negligence “cannot
rest solely upon OCGA § 51-1-6 because this statute sets forth merely general
principles of tort law. By its express terms, tort liability under OCGA § 51-1-6
mandates that the alleged tortfeasor[ ] ha[s] breached a legal duty to perform a
beneficial act or to refrain from doing an injurious act. So, the legal duty to support
[a plaintiff’s] negligence claim must be found in another legislative enactment”
beside OCGA § 51-1-6.) (citation omitted); City of Douglasville v. Queen, 270 Ga.
770, 771 (1) (514 SE2d 195) (1999) (The first element of a cause of action for
negligence is “[a] legal duty to conform to a standard of conduct raised by the law for
the protection of others against unreasonable risks of harm[.]”) (citation and
punctuation omitted); Diamond v. Dept. of Transp., 326 Ga. App. 189, 195 (2) (756
SE2d 277) (2014) (“[D]uty arises either from statute or from a common law principle
recognized in the case law.”) (citation omitted); Pulte Home v. Simerly, 322 Ga. App.
699, 705-706 (3) (746 SE2d 173) (2013) (“It is well-settled that Georgia law allows
the adoption of a statute or regulation as a standard of conduct so that its violation
becomes negligence per se. OCGA § 51-1-6 authorizes a plaintiff to recover damages
for the breach of a legal duty even when that duty arises from a statute that does not
provide a private cause of action. OCGA § 51-1-6 does not create a legal duty but
defines a tort and authorizes damages when a legal duty is breached.”) (citation and
punctuation omitted); Rockefeller v. Kaiser Foundation Health Plan of Georgia, 251
Ga. App. 699, 702-703 (554 SE2d 623) (2001) (To determine whether the violation
of a statute is negligence per se “it is necessary to examine the purposes of the
legislation and decide (1) whether the injured person falls within the class of persons
it was intended to protect and (2) whether the harm complained of was the harm it
was intended to guard against.”) (citations, punctuation, and footnote omitted).

                                          15
personal information. In OCGA §§ 10-1-910, the General Assembly set out

legislative findings underlying the Georgia Personal Identity Protection Act, OCGA

§§ 10-1-910 through 10-1-915 (the “GPIPA”), enacted in 2005.11 In the GPIPA, the

General Assembly found, inter alia, that “[t]he privacy and financial security of

individuals is increasingly at risk, due to the ever more widespread collection of

personal information by both the private and public sectors[,]” that ‘[i]dentity theft

is one of the fastest growing crimes committed in this state[,]” and that “[i]dentity

theft is costly to the marketplace and to consumers[.]” OCGA § 10-1-910 (1), (6).

Because “[v]ictims of identity theft must act quickly to minimize the damage[,] . . .

expeditious notification of unauthorized acquisition and possible misuse of a person’s

personal information is imperative.” OCGA § 10-1-910 (7). In line with these

findings, the GPIPA requires that affected persons be given certain notice of a data

breach and the right and ability to place a security freeze on their credit report.12

      11
           See Ga. Laws 2007, p. 450 (Act 241), § 1 (for name designation).
      12
          The GPIPA requires a government entity (as a “data collector”) “that
maintains computerized data that includes personal information of individuals” to
give prompt notice to affected Georgia residents of any security breach, that is,
acquisition of unencrypted personal information by any unauthorized person and,
under specified circumstances, to notify, without unreasonable delay, all consumer
reporting agencies that compile and maintain files on consumers on a nation-wide
basis of the timing, distribution, and content of the notices. OCGA §10-1-912 (a), (d).

                                          16
McConnell contends that in codifying these findings the General Assembly

demonstrated its intent to protect citizens from the adverse effects of disclosure of

personal information and created a general duty to preserve and protect personal

information. Notably, however, despite the General Assembly’s aspirational

recognition of the harm caused by identity theft, the GPIPA does not proscribe any

conduct in storing data or protecting data security. Rather the GPIPA proscribes

particular conduct, that is, notification and the placement of a security freeze, only

after a (known or suspected) data security breach has occurred. Because the GPIPA

does not impose any standard of conduct in implementing and maintaining data

security practices, we conclude that it can not serve as the source of a general duty




See OCGA § 10-1-911 (1) (definition of a “breach of the security of the system”), (2)
(definition of a “data collector”), (3) (definition of “notice”); 10-1-914 (security
freezes on consumer credit reports); 10-1-914.1 (security freezes on consumer credit
reports for minors and wards); 10-1-915 (required notice of right to obtain a security
freeze on consumer credit report). The GPIPA’s definition of “personal information”
includes an individual’s first and last name in combination with the person’s social
security number. OCGA § 10-1-911 (6). Another example is a person’s name in
combination with a credit or debit card number, if under the circumstances the
number could be used without a password or other information. Id.

                                         17
to safeguard personal information. Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162,

165 (744 SE2d 686) (2013).13

      Similarly, we conclude that OCGA § 10-1-393.8, which is part of the Fair

Business Practices Act of 1975 (the “FBPA”) as amended,14 can not serve as the

source of such a general duty to safeguard and protect the personal information of

another. That Code section provides that, except as otherwise provided, “a person,

firm, or corporation shall not: . . . [p]ublicly post or publicly display in any manner

an individual’s social security number. . . . ‘[P]ublicly post’ or ‘publicly display’

means to intentionally communicate or otherwise make available to the general



      13
            In Wells Fargo Bank, N.A. v. Jenkins, a bank customer based a claim of
negligence on the bank’s failure to protect his personal information and asserted that
the legal duty to support his negligence claim was found in the federal Gramm-Leach-
Bliley Act, the “GLBA,” 15 U. S. C. § 6801 et seq. The Supreme Court of Georgia
explained that, although the GLBA “expressly authorizes federal agencies . . . to
establish appropriate standards” for financial institutions “relating to administrative,
technical, and physical safeguards,” including safeguards “to protect against
unauthorized access to or use of [customers’] records or information which could
result in substantial harm or inconvenience to any customer,” see 15 U.S.C. § 6801
(a), such “an aspirational statement of Congressional policy” should not be “misread
. . . as establishing a legal duty, the alleged breach of which would give rise under the
law of this State to a cause of action for negligence against financial institutions[,]”
as that would improperly usurp legislative authority. 293 Ga. at 164-165.
      14
         OCGA § 10-1-390 (OCGA § 10-1-390 through 10-1-408 shall be known as
the “Fair Business Practices Act of 1975.”).

                                           18
public[.]” OCGA § 10-1-393.8. As the trial court noted in the appealed order, the

FBPA expressly prohibits intentionally communicating a person’s social security

number, while McConnell alleges that the Department negligently disseminated his

SSN by failing “to take the necessary precautions required to safeguard and protect

the personal information from unauthorized disclosure.” Although the FBPA imposes

a standard of conduct to refrain from intentionally and publicly posting or displaying

SSNs,15 a legal duty to refrain from doing something intentionally is not equivalent

to a duty to exercise a degree of care to avoid doing something unintentionally, which

falls within the ambit of negligence. The trial court correctly concluded that

McConnell’s complaint is premised on a duty of care to safeguard personal

      15
           The trial court questioned whether the Department is “a person, firm, or
corporation” subject to OCGA § 10-1-393.8. But the Department does not contend
that it is not subject to the statute. See OCGA §§ 10-1-392 (24) (For purposes of the
FBPA, including OCGA § 10-1-393.8, “‘[p]erson’ means a natural person,
corporation, trust, partnership, incorporated or unincorporated association, or any
other legal entity.”); 34-2-1 (“There is created and established a separate and
independent administrative agency to be known as the Department of Labor.”);
Foskey v. Vidalia City School, 258 Ga. App. 298, 301 (b) (574 SE2d 367) (2002)
(“When a governmental entity or quasi-public entity has independent legal status as
a public corporation, agency, or authority, the legislative act creating such
governmental entity generally confers one or more of the power and authority to
contract, hold property, eminent domain, or sue and be sued. The fact that a
governmental entity may have sovereign immunity from a tort action does not prevent
such entity from being a separate legal entity or an entity that may sue and be sued.”)
(citations omitted).

                                          19
information that has no source in Georgia statutory law or caselaw and that his

complaint therefore failed to state a claim of negligence. Diamond v. Dept. of

Transp., 326 Ga. App. 189, 195-196 (2) (756 SE2d 277) (2014).

      Given the General Assembly’s stated concern about the cost of identity theft

to the marketplace and to consumers, as well as the fact that it created certain limited

duties with regard to personal information (e. g., the duty to notify affected persons

of data breaches and the duty not to intentionally communicate information such as

SSNs to the general public), it may seem surprising that our legislature has so far not

acted to establish a standard of conduct intended to protect the security of personal

information, as some other jurisdictions have done in connection with data protection

and data breach notification laws.16 It is beyond the scope of judicial authority,

      16
          See e.g. Ark. Code Ann. 4-110-104 (b) (In the Arkansas Personal
Information Protection Act: “A person or business that acquires, owns, or licenses
personal information about an Arkansas resident shall implement and maintain
reasonable security procedures and practices appropriate to the nature of the
information to protect the personal information from unauthorized access,
destruction, use, modification, or disclosure.”); Cal. Civ. Code § 1798.81.5 (In the
California Database Breach Act: “It is the intent of the Legislature to ensure that
personal information about California residents is protected. . . . A business that
owns, licenses, or maintains personal information about a California resident shall
implement and maintain reasonable security procedures and practices appropriate to
the nature of the information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.”); Fla. Stat. Ann. § 501.171 (2)
(“Each covered entity, governmental entity, or third-party agent shall take reasonable

                                          20
however, to move from aspirational statements of legislative policy to an affirmative

legislative enactment sufficient to create a legal duty.17


measures to protect and secure data in electronic form containing personal
information.”); Md. Code Ann., Commercial Law § 14-3503 (In the Maryland
Personal Information Protection Act: “To protect personal information from
unauthorized access, use, modification, or disclosure, a business that owns or licenses
personal information of an individual residing in the State shall implement and
maintain reasonable security procedures and practices that are appropriate to the
nature of the personal information owned or licensed and the nature and size of the
business and its operations.”); Md. Code Ann., State Government § 10-1304 (“To
protect personal information from unauthorized access, use, modification, or
disclosure, a [state government] unit that collects personal information of an
individual shall implement and maintain reasonable security procedures and practices
that are appropriate to the nature of the personal information collected and the nature
of the unit and its operations.”); Nev. Rev. Stat. Ann. § 603A.210 (1) (“A data
collector that maintains records which contain personal information of a resident of
this State shall implement and maintain reasonable security measures to protect those
records from unauthorized access, acquisition, destruction, use, modification or
disclosure.”); Rhode Island Gen. Laws Ann. § 11-49.3-2 (a) (In the Rhode Island
Identity Theft Protection Act of 2015: “A municipal agency, state agency or person
that stores, collects, processes, maintains, acquires, uses, owns or licenses personal
information about a Rhode Island resident shall implement and maintain a risk-based
information security program that contains reasonable security procedures and
practices appropriate to the size and scope of the organization; the nature of the
information; and the purpose for which the information was collected in order to
protect the personal information from unauthorized access, use, modification,
destruction, or disclosure and to preserve the confidentiality, integrity, and
availability of such information.”).
      17
         See Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. at 165; Blotner v. Doreika,
285 Ga. 481, 481-482 (1) (678 SE2d 80) (2009) (Where a particular common law
duty was not recognized in Georgia, the common law rule could be changed only by
legislative act.); Perdue v. Baker, 277 Ga. 1, 14 (586 SE2d 606) (2003) (“The core

                                          21
      3. McConnell contends that the trial court erred in dismissing his breach of

fiduciary duty claim for failure to state a claim upon which relief can be granted

based on its determination that he had not shown that he had a particular relationship

of trust or mutual confidence with the Department. “Establishing a claim for breach

of fiduciary duty requires proof of three elements: (1) the existence of a fiduciary

duty; (2) breach of that duty; and (3) damage proximately caused by the breach.”

(Citation and punctuation omitted.) Wells Fargo Bank, N.A. v. Cook, 332 Ga. App.

834, 842 (1) (775 SE2d 199) (2015). “Any relationship shall be deemed confidential,

whether arising from nature, created by law, or resulting from contracts, where one

party is so situated as to exercise a controlling influence over the will, conduct, and

interest of another or where, from a similar relationship of mutual confidence, the law

requires the utmost good faith, such as the relationship between partners, principal

and agent, etc.” OCGA § 23-2-58.




legislative function is the establishment of public policy through the enactment of
laws.”) (footnote omitted); Commonwealth Inv. Co. v. Frye, 219 Ga. 498, 499 (2)
(134 SE2d 39) (1963) (Our appellate courts’ “authority extends only to the correction
of errors of law, and we have no legislative powers or functions. [T]he legislature,
and not the courts, is empowered by the Constitution to decide public policy, and to
implement that policy by enacting laws; and the courts are bound to follow such laws
if constitutional.”) (citations and punctuation omitted).

                                          22
      McConnell argues that, because a fiduciary relationship, in addition to being

created by statute or contract, may also be created by the facts of a particular case, a

claim for breach of fiduciary duty is uniquely unsuitable for disposition via a motion

to dismiss, when the plaintiff has not been able to conduct discovery.18 In his

complaint, McConnell alleged that a fiduciary duty arose when the Department

required him to disclose confidential personal identification information in order to

obtain services or benefits from the Department and that he reasonably placed his

trust and confidence in the Department to safeguard and protect his information from

public disclosure. He contends that the Department was “so situated as to exercise a

controlling influence over . . . [his] interest” because, unless he provided his personal

information to the Department, he would not receive unemployment benefits,

resulting in a fiduciary relationship.

      In a recent case, a bank employee gave a customer’s information to the

employee’s husband, which allowed her husband to steal the customer’s identity.

Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012), reversed in


      18
         See Wright v. Apartment Investment & Mgmt. Co., 315 Ga. App. 587, 592 (2)
(726 SE2d 779) (2012) (“[S]ince a confidential relationship may be found whenever
one party is justified in reposing confidence in another, the existence of a confidential
or fiduciary relationship is generally a factual matter for the jury to resolve.”).

                                           23
part on other grounds sub nom. Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162 (744

SE2d 686) (2013), and opinion vacated in part, 325 Ga. App. 376 (752 SE2d 633)

(2013). The customer sued the bank, asserting claims that the bank negligently failed

to protect his personal information, breached a duty of confidentiality, and invaded

his privacy. 314 Ga. App. at 257. The customer alleged that the bank “falsely

represented to its customers and members of the general public that it created and

implemented a system to adequately protect the private and personal identifying

information entrusted to it by its customers[.]” Id. Noting that the bank-customer

relationship generally is not a confidential relationship under Georgia law, this Court

held that the plaintiff had not pled “any special circumstances showing that he had a

particular relationship of trust or mutual confidence with [the bank].” Id. at 262 (2).19

ln other words, the fact that the plaintiff gave the bank his personal information to

receive services, and the bank promised to protect this information, did not create a

confidential relationship under Georgia law.


      19
        See Jenkins v. Wachovia Bank, N.A., 325 Ga. App. 376, 377 (752 SE2d 633)
(2013) (Because the Supreme Court in Wells Fargo Bank, N.A. v. Jenkins, 293 Ga.
162 (744 SE2d 686) (2013), did not address or consider Division 2 of our earlier
opinion in Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012),
and because that portion of our earlier opinion was consistent with the Supreme
Court’s opinion, that division remains binding.).

                                           24
      McConnell contends that commercial relationships like the bank-customer

relationship at issue in Jenkins v. Wachovia Bank, N.A. are fundamentally different

from the relationship between him and the Department, given that a customer can

choose another bank while a citizen like him, in order to obtain unemployment

benefits, has no choice but to comply with the Department’s demand to provide

personal information. McConnell failed to identify any context, however, in which

a fiduciary relationship has been deemed to arise between a citizen and an agency,

based on a theory that the agency’s status as a gatekeeper for government benefits

places the agency in a position so as to exercise a controlling influence over the

citizen’s interest. This argument fails.

      4. McConnell contends that the trial court erred in ruling that he failed to state

a claim upon which relief can be granted for invasion of privacy, public disclosure

of private facts, based, inter alia, on its determination that the elements of that tort

cannot be satisfied unless the facts at issue are embarrassing private facts. McConnell

argues that

      Georgia law recognizes a variety of information as private and not
      subject to public disclosure, including certain financial and banking
      records, medical records, certain police records (particularly records of
      juvenile crime) and records related to status as a victim of a crime

                                           25
      (particularly sexual assault). The law recognizes a claim for
      unauthorized disclosure of private information in these circumstances.


      Under Georgia law,

      there are four disparate torts under the common name of invasion of
      privacy. These four torts may be described briefly as: (1) intrusion upon
      the plaintiff’s seclusion or solitude, or into his private affairs; (2) public
      disclosure of embarrassing private facts about the plaintiff; (3) publicity
      which places the plaintiff in a false light in the public eye; and (4)
      appropriation, for the defendant’s advantage, of the plaintiff’s name or
      likeness.


(Citation and punctuation omitted.) Bullard v. MRA Holding, LLC, 292 Ga. 748, 751-

752 (2) (740 SE2d 622) (2013). There are at least three necessary elements for

recovery for

      [p]ublic disclosure of embarrassing private facts about the plaintiff[,] .
      . . : (a) the disclosure of private facts must be a public disclosure; (b) the
      facts disclosed to the public must be private, secluded or secret facts and
      not public ones; (c) the matter made public must be offensive and
      objectionable to a reasonable man of ordinary sensibilities under the
      circumstances.




                                           26
Cabaniss v. Hipsley, 114 Ga. App. 367, 372 (2) (151 SE2d 496) (1966). See also

Thomason v. Times-Journal, 190 Ga. App. 601, 604 (4) (379 SE2d 551) (1989)

(accord).

      In Cumberland Contractors, Inc. v. State Bank & Trust Co., the plaintiffs

claimed that the defendant bank’s publication of their social security numbers could

result in identify theft, credit card fraud, and other offenses that might damage them

personally and financially. We held that such allegations

      do not fall within the causes of action for invasion of privacy because
      there is no allegation that [the defendant] (1) intruded into the
      [plaintiffs’] seclusion, (2) disclosed embarrassing private facts, (3)
      depicted the [plaintiffs] in a false light, or (4) appropriated the
      [plaintiffs’] name or likeness for [the defendant’s] own advantage.


Cumberland Contractors, Inc. v. State Bank & Trust Co., 327 Ga. App. 121, 126 (2)

(a) (755 SE2d 511) (2014). As a result, we held, the trial court properly dismissed the

plaintiffs’ claim for invasion of privacy for failure to state a claim for relief under

Georgia law. Id. The trial court in this case properly dismissed McConnell’s invasion




                                          27
of privacy claim for the same reason. Id.; Jenkins v. Wachovia Bank, N.A., 314 Ga.

App. at 262-263 (3)20; Cabaniss v. Hipsley, 114 Ga. App. at 372 (2).

      Judgment affirmed in part and reversed in part. Senior Appellate Judge

Herbert E. Phipps, concurs and Mercier, J., concurs specially in Division 1 and

concurs fully in Divisions 2,3 and 4.*

      *DIVISION 1 OF THIS OPINION IS PHYSICAL PRECEDENT ONLY,

COURT OF APPEALS RULE 33.2 (a)”.




      20
        See Jenkins v. Wachovia Bank, N.A., 325 Ga. App. 376, 377 (752 SE2d 633)
(2013) (Because the Supreme Court in Wells Fargo Bank, N.A. v. Jenkins, 293 Ga.
162 (744 SE2d 686) (2013), did not address or consider Division 3 of our earlier
opinion in Jenkins v. Wachovia Bank, N.A., 314 Ga. App. 257 (724 SE2d 1) (2012),
and because that portion of our earlier opinion was consistent with the Supreme
Court’s opinion, that division remains binding.).
 A16A0655. McCONNELL et al. v. GEORGIA DEPARTMENT OF

       LABOR.

      MERCIER, Judge, concurring specially.

      I concur specially with the majority’s holding in Division 1. While I believe

that the majority’s adherence to and analysis of Department of Transp. v.

Montgomery Tank Lines, Inc., 276 Ga. 105 (575 SE2d 487) (2003) is correct, I am

concerned about the continued viability of Montgomery Tank Lines in light of the

Supreme Court’s recent decisions in Lathrop v. Deal, 301 Ga. 408 (801 SE2d 867)

(2017) and Georgia Department of Nat. Resources v. Center for a Sustainable Coast,

Inc., 294 Ga. 593 (755 SE2d 184) (2014). However, any tension that may exist among

these cases is not for this Court to resolve. I am constrained to agree with the

majority’s holding in Division 1. Therefore, I concur specially in Division 1. I concur

fully in Divisions 2, 3 and 4.
