author photo
By Clare O’Gara
Thu | Aug 22, 2019 | 3:53 AM PDT

It's not everyday you hear about a Dark Overlord changing Supreme Court precedents.

But in Georgia, maybe that's just par for the course.

'Dark Overlord' data breach could change cyber law in Georgia

It all comes down to one question: what has to happen before a data breach victim can sue for damages?

The 2016 Athens Orthopedic Clinic (AOC) hack spurred the attention. The Atlanta Journal-Constitution covered the breach:

A cyber thief calling himself the "Dark Overlord" hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients.

The AOC refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections.

Now, three of those 200,000 patients are suing the AOC for damages.

But what the Georgia Supreme Court really wants to answer is, do they have a right to?

Must a data breach victim suffer actual financial loss to be compensated under the law? Or is the threat of future harm enough?

Potential ramifications of a new data breach precedent

The Georgia Court of Appeals ruled against the three victims last year, but the Supreme Court opted to take a look at the case anyway.

And while its decision only applies to the State of Georgia, its implications could reach far wider.

For one, state Supreme Court decisions can influence the rulings of judges from other U.S. states.

And an overall landscape of change surrounding data breach victims could also impact the legal system immensely:

Their answer could have broad ramifications. Atlanta-based Equifax, Georgia Tech and the Georgia Secretary of State's Office are just some of the places where breaches have exposed the data of millions of people.

Georgia's decision could change the shape of the state's cyber law framework. And it may extend beyond the state itself.

An interview with Jordan Fischer: justice in data breach cases

This Georgia case ultimately comes down to legal standing. Who has the right to show their case in court? And when do they get this right?

In an interview with SecureWorld, Jordan Fisher, XPAN Law Group Co-Founder and Managing Partner, discussed the changing landscape of the Standing Doctrine in data breach cases:

In the cyber context, it's been very hard to show damages because I could have my identity stolen today or I could have it stolen in 20 years.

But if it hasn't been stolen, the future harm is not enough to get you Standing in court.

Now we're starting to see that change because judges are seeing that this is really an unfair outcome for a lot of data subjects.

Check out the full interview with Fischer: