BlogLine

Emerging issues in data breach litigation: Duty of care under Georgia law

11/19/25

By: Jacob Berlinger and David Cole

Beyond the familiar challenges of establishing standing and proving injury from a data breach, courts are increasingly grappling with threshold questions about the viability of plaintiffs’ legal theories. One recurring issue is whether—and to what extent—a corporate defendant owes a duty of care to safeguard personal data from third-party attacks.

Under state tort law, the answer varies by jurisdiction. In Georgia, the Court of Appeals recently addressed this question for the first time in Bland v. Urology of Greater Atlanta, LLC, No. A25A1133, 2025 WL 2826837 (Ga. Ct. App. 2025), and recognized a duty of care to protect personally identifiable information (PII) against foreseeable risks of data breaches.

Background of Bland

The case arose from a 2016 data breach in which hackers infiltrated Athens Orthopedic Clinic’s systems and stole data from more than 200,000 current and former patients. The compromised PII included Social Security numbers, birth dates, addresses and health insurance details—some of which later appeared for sale on the dark web. Patients sued for negligence and breach of implied contract, but the trial court dismissed the case for failure to state a claim.

Allegations Based on “Information and Belief”

Plaintiffs often lack direct evidence of inadequate security practices and rely on allegations “based on information and belief.” The defendant in Bland argued these should be disregarded, but the Court of Appeals disagreed, holding that such allegations are permissible if they assert specific facts formed on information and belief, rather than a mere belief that a fact exists.

Duty of Care Under Georgia Tort Law

The central issue was whether Georgia law imposes a duty to safeguard PII in the context of a medical practice. The Court found persuasive the Eleventh Circuit’s decision in Ramirez v. The Paradies Shops, 69 F.4th 1213 (11th Cir. 2023), which held that employers have a duty to protect employees’ sensitive data when a breach is reasonably foreseeable.

Applying similar reasoning, the Court concluded that plaintiffs sufficiently alleged foreseeability: medical identity theft is a growing crime, and the defendant knew of the risk and could have prevented the breach through proper security measures. According to the Court of Appeals, this was enough to establish a duty of care at the pleading stage.

Cognizable Injury

Finally, the Court held that plaintiffs adequately alleged injury by claiming that cybercriminals stole a substantial amount of their personal data, some of which was offered for sale, and that they face an imminent risk of fraud, identity theft and misuse.

Takeaways

Bland signals a significant development in Georgia data breach litigation. By recognizing a duty of care to safeguard PII, the Court has opened the door for negligence claims to proceed past the motion-to-dismiss stage—particularly where plaintiffs can allege foreseeability and inadequate security measures.

For more information, please contact David Cole at david.cole@fmglaw.com, Jacob Berlinger at jacob.berlinger@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.