Beyond the familiar challenges of establishing standing and proving injury from a data breach, courts are increasingly grappling with threshold questions about the viability of plaintiffs’ legal theories. One recurring issue is whether—and to what extent—a corporate defendant owes a duty of care to safeguard personal data from third-party attacks.
Under state tort law, the answer varies by jurisdiction. In Georgia, the Court of Appeals recently addressed this question for the first time in Bland v. Urology of Greater Atlanta, LLC, No. A25A1133, 2025 WL 2826837 (Ga. Ct. App. 2025), and recognized a duty of care to protect personally identifiable information (PII) against foreseeable risks of data breaches.
Background of Bland
The case arose from a 2016 data breach in which hackers infiltrated Athens Orthopedic Clinic’s systems and stole data from more than 200,000 current and former patients. The compromised PII included Social Security numbers, birth dates, addresses, and health insurance details—some of which later appeared for sale on the dark web. Patients sued for negligence and breach of implied contract, but the trial court dismissed the case for failure to state a claim.
Allegations Based on “Information and Belief”
Plaintiffs often lack direct evidence of inadequate security practices and rely on allegations “based on information and belief.” The defendant in Bland argued these should be disregarded, but the Court of Appeals disagreed, holding that such allegations are permissible if they assert specific facts formed on information and belief, rather than a mere belief that a fact exists.
Duty of Care Under Georgia Tort Law
The central issue was whether Georgia law imposes a duty to safeguard PII in the context of a medical practice. The court found persuasive the Eleventh Circuit’s decision in Ramirez v. The Paradies Shops, 69 F.4th 1213 (11th Cir. 2023), which held that employers have a duty to protect employees’ sensitive data when a breach is reasonably foreseeable.
Applying similar reasoning, the court concluded that plaintiffs sufficiently alleged foreseeability: medical identity theft is a growing crime, and the defendant knew of the risk and could have prevented the breach through proper security measures. According to the Court of Appeals, this was enough to establish a duty of care at the pleading stage.
Cognizable Injury
Finally, the court held that plaintiffs adequately alleged injury by claiming that cybercriminals stole a substantial amount of their personal data, some of which was offered for sale, and that they face an imminent risk of fraud, identity theft, and misuse.
Takeaways
Bland signals a significant development in Georgia data breach litigation. By recognizing a duty of care to safeguard PII, the court has opened the door for negligence claims to proceed past the motion-to-dismiss stage—particularly where plaintiffs can allege foreseeability and inadequate security measures.
This article originally appeared on Freeman Mathis & Gary, LLP.
About the Authors:
Jacob A. Berlinger is an associate at Freeman Mathis & Gary, LLP. Jacob.Berlinger@fmglaw.com
David A. Cole is a partner at Freeman Mathis & Gary, LLP. david.cole@fmglaw.com