Did the Georgia Secretary of State release the social security numbers, driver’s license numbers, and dates of birth of every registered Georgia voter? Those are the allegations first made by putative class representatives, Elise Piper and Yvette Sanders, in a recently filed Fulton County Superior Court lawsuit and confirmed by recent statements by the Secretary of State. For its part, the Secretary of State attributes the data leak to a “clerical error,” which it alleges involved the dissemination of CD-ROMs containing extraneous data to only 12 recipients and that the disks are in the process of being recovered. Piper and Sanders also allege that, despite being on notice of the leak, the state failed to notify the affected voters, or credit reporting agencies, in violation of the Georgia Personal Identity Protection Act of 2007 (GPIPA). Nonetheless, as troubling as the release of this information may be to voters - who may be dubious that the leak has been contained and concerned about the risk of identity theft or fraud - as a legal matter, it is unclear what, if any, remedy is available to plaintiffs.
The Data Leak
Per the complaint, the social security and driver’s license numbers were collected as part of the voter registration process. However, the suit alleges that although the voter registration process only required the last four digits of each voter’s social security number, the Secretary of State nonetheless maintained “each voter’s complete social security and driver’s license number.”
Some voter identification information, such as names and addresses - but not social security and driver’s license numbers - is regularly maintained in a “Voter File” which is routinely provided on CD-ROM to media members and political parties free of charge. The Voter File was also available to the general public for a $500 fee. However, plaintiffs allege, when the October 2015 Voter File was distributed, it not only contained standard voter identification information but also the social security number, driver’s license number, and date of birth for all 6,184,281 registered Georgia voters.
The Georgia Personal Identity Protection Act
Legally, the type of data released is a distinction with a difference. The GPIPA - like many similar state data breach notification statutes - defines “Personal Information,” in relevant part, as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements” including a “social security number” or “driver’s license number.” Thus, while the dissemination of the standard Voter File containing voters’ names and addresses alone likely did not constitute a release of protected “personal information,” the alleged release of that information in conjunction with social security and driver’s license numbers could be deemed a breach.
Of course, even if the information was - as it appears to be - “Personal Information,” that is not the end of the inquiry. Other key questions include whether the Georgia Secretary of State is an “information broker or data collector” subject to the Act, whether the release of the information was a “breach of the security of the system” within the meaning of the Act, and whether the state failed to comply with the notice requirements of GPIPA.
Taking the complaint at face value, it would appear the answer to the first two questions is “yes.” The GPIPA defines a “data collector” to include state agencies and actors as long as they are not maintaining records “primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.” Assuming the Secretary of State cannot meet any of these exceptions - as seems likely - they are a “data collector.” Likewise, the Act defines “breach of the security of the system” to mean “unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.” Again, based on the available information, this definition would appear to have been met by the dissemination of the personal information to media and political parties. That said, the Secretary of State may argue the release of the information to a dozen people, that those individuals were not “unauthorized,” and prompt efforts to recover the disks and contain the leak protected “the security, confidentiality, or integrity of personal information.” Of course, the fact that plaintiffs’ counsel apparently ended up with one of the disks undermines these arguments.
Turning to the next question, if the GPIPA applies and the release was a breach, what was the Secretary of State required to do? Under the GPIPA, any information broker or data collector “shall give notice of any breach of the security of the system following discovery or notification of the breach” to Georgia residents whose unencrypted personal information was “acquired by an unauthorized person.” With regard to timing, the notice shall be made “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Law enforcement may delay notification if “a law enforcement agency determines that the notification will compromise a criminal investigation.” Finally, where, as here, a breach requires notification to more than 10,000 residents, the data collector must also inform “all consumer reporting agencies.” Per the complaint, the Secretary of State did not provide notice to affected voters or consumer reporting agencies in the approximately one-month since the release, which could constitute a lack of notice. On the other hand, perhaps the state can argue that the length of time that has passed since the potential breach without notification was not an “unreasonable delay” in light of the facts surrounding the release.
As for the type of notice required, the Act typically requires written, telephonic, or, with prior permission, electronic notice. However, where the cost of the notice, as here, would exceed $50,000 or the breach affected more than 100,000 individuals, “substitute notice” may be appropriate. This can include notice by email (when known), conspicuous notice on the entity’s website, and notification via state-wide media. Thus, in this case, the statute could likely be satisfied with a press release and conspicuous notification on the Secretary of State web page - an embarrassment perhaps but not a huge logistical hurdle.
Do Plaintiffs Have a Case?
Despite the possibility that the Secretary of State may have violated the GPIPA, plaintiffs’ remedy, if any, is unclear. Notably, plaintiffs have not sued for damages - likely because the GPIPA does not expressly allow damages and, regardless, seeking damages would likely trigger a sovereign immunity fight. Rather, the suit seeks equitable relief requiring the Secretary of State to comply with the GPIPA’s notification requirements and “prevent future harm due to the disclosure,” and attorneys’ fees. While it is difficult to imagine that GPIPA was enacted without any enforcement mechanism or remedy, unlike many other states’ data privacy laws, the GPIPA does not expressly create an independent civil cause of action, contain any statutory remedies, or provide for an award of attorneys’ fees.
Moreover, while the only two published cases that have examined the Act have not foreclosed a private right of action, neither has expressly found one, either. In the first, Willingham v. Global Payments, Inc., the Northern District of Georgia held the act inapplicable because the plaintiffs in that case were not residents of Georgia. More recently, in an opinion arising out of the In re Target data breach litigation, the court allowed plaintiff’s GPIPA claim to survive a motion to dismiss because “Georgia’s data-breach-notice statute is silent as to enforcement” and “neither party cites any case regarding how a court should interpret silence as to enforcement under Georgia law.” The plaintiffs’ chance of success is unclear based on the paucity of case law examining the GPIPA - and the fact that no court has affirmatively found a private cause of action.
Lessons for Government and Industry
Although the merits of plaintiffs’ suit are an open question - both because the Secretary of State may have a viable defense and because the GPIPA may be relatively toothless - it still carries important lessons for businesses and others collecting and processing personal information. First, the Secretary of State’s “clerical error” illustrates the risk of collecting more data than needed. If only the last four digits of voters’ social security numbers were necessary, then the retention of complete social security and driver’s license numbers appears to have been an unnecessary risk that, in this case, led to a substantial data leak and litigation. Second, those collecting and processing personal information should know - and comply with - data breach notification laws. For larger companies, this likely means compliance with various states’ disclosure laws - many of which have much clearer penalties and enforcement mechanisms than the GPIPA. Finally - and perhaps most fundamentally - data collectors and custodians should have a robust information management program in place that is commensurate with the volume and sensitivity of the data at issue. Simply put, a data management system with sufficient checks and safeguards should prevent a “clerical error” from potentially putting millions at risk.