
    A11A2053.
    JENKINS v. WACHOVIA BANK, N.A. et al.
    (724 SE2d 1)
   McFADDEN, Judge.

Stephen Kale Jenkins brought a tort action against Wachovia Bank, N.A., Wells Fargo Bank, N.A., and all predecessor and successor entities and John Doe corporations (collectively, the “Bank”), in which he alleged that a Bank teller had improperly accessed Jenkins’s confidential information and given it to her husband, allowing the husband to steal Jenkins’s identity. Pertinent to this appeal, Jenkins asserted claims that the Bank negligently failed to protect the information, breached a duty of confidentiality, and invaded his privacy. The trial court granted the Bank’s motion for judgment on the pleadings. Because the well-pleaded allegations of Jenkins’s complaint, taken as true, establish the elements of his negligence claim, we reverse the judgment on the pleadings as to that claim. Because Jenkins fails to assert in his complaint facts showing that the Bank owed him a confidential duty or invaded his privacy, we affirm the judgment on the pleadings as to the remaining claims.

A motion for judgment on the pleadings should be granted only if the moving party is clearly entitled to judgment. Sherman v. Fulton County Bd. of Assessors, 288 Ga. 88, 90 (701 SE2d 472) (2010). “[A]ll well-pleaded material allegations of the opposing party’s pleading are to be taken as true, and all allegations of the moving party which have been denied are taken as false.” (Citation and punctuation omitted.) Id. We review the trial court’s ruling on a motion for judgment on the pleadings de novo. McCobb v. Clayton County, 309 Ga. App. 217 (710 SE2d 207) (2011).

Construed in favor of Jenkins, the complaint contained the following allegations. Jenkins was a former customer of a financial institution acquired by the Bank, and the Bank maintained records containing his confidential information. The Bank “falsely represented to its customers and members of the general public that it created and implemented a system to adequately protect the private and personal identifying information entrusted to it by its customers and by customers of acquired financial institutions.” A Bank teller “who had no need, business or otherwise[,] to any of [Jenkins’s information], was nevertheless granted access to [that] information” by the Bank. The teller gave the information to her husband, whose last name also was “Jenkins” and who used the information to steal Jenkins’s identity. This damaged his credit, hindered his efforts to obtain loans, required him to spend “enormous amounts of time and energy trying to correct false credit reports,” and caused him emotional injury.

In granting judgment on the pleadings to the Bank, the trial court concluded that

the acts or alleged failure to act on behalf of [the Bank] do not state a cause of action under the laws of the State of Georgia. [The Bank] simply maintained a database containing the personal financial information of former and current customers. [The Bank] did not publish [Jenkins’s] private information. A [Bank] employee accessed the database and obtained the confidential information and illegally provided it to her husband.

1. Negligence. “In order to have a viable negligence action, a plaintiff must satisfy the elements of the tort, namely, the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty.” (Citation omitted.) Rasnick v. Krishna Hospitality, 289 Ga. 565, 566 (713 SE2d 835) (2011). Jenkins argues that the facts alleged in his complaint demonstrate all of these elements, while the Bank contends that as a matter of law Jenkins cannot show that the Bank owed him a duty, that it breached that duty, or that any such breach caused the theft of his identity. As detailed below, we agree with Jenkins that the allegations of his complaint, taken as true, present a negligence claim, and that the trial court thus erred in granting judgment on the pleadings to the Bank as to this claim.

(a) Existence of a duty. In a negligence action,

[t]he legal duty is the obligation to conform to a standard of conduct under the law for the protection of others against unreasonable risks of harm. . . . The duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the case law.

(Citations omitted.) Rasnick, 289 Ga. at 566-567. As explained below, we agree with Jenkins that the Gramm-Leach-Bliley Act (“GLBA”), 15 USC § 6801 et seq., imposed a legal duty upon the Bank to protect Jenkins’s confidential personal information.

The GLBA provides in pertinent part that “[i]t is the policy of the Congress that each financial institution has an affirmative and continuing obligation ... to protect the security and confidentiality of [its] customers’ nonpublic personal information.” 15 USC § 6801 (a). Although the GLBA does not create a private right of action for a violation of its terms, Finnerty v. State Bank & Trust Co., 301 Ga. App. 569, 570 (2) (687 SE2d 842) (2009), its plain language states that financial institutions have a duty to protect certain information of their customers. And OCGA § 51-1-6 authorizes a plaintiff to recover damages for the breach of a legal duty even when that duty arises from a statute that does not provide a private cause of action. See Landis v. Rockdale County, 206 Ga. App. 876, 879 (2) (427 SE2d 286) (1992) (OCGA § 51-1-6 does not create a legal duty but defines a tort and authorizes damages when a legal duty is breached). OCGA § 51-1-6 states, “[w]hen the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage thereby.” A duty imposed by a federal statute such as the GLBA is a duty imposed by law under OCGA § 51-1-6. See Dupree v. Keller Indus., 199 Ga. App. 138, 141 (1) (404 SE2d 291) (1991) (federal OSHA regulations are admissible as evidence of a legal duty, the violation of which may give a cause of action under OCGA § 51-1-6). Cf. McLain v. Mariner Health Care, 279 Ga. App. 410, 413 (2) (631 SE2d 435) (2006) (allegations of violation of federal statutes and regulations support claim of breach of legal duty in both traditional negligence action and action for negligence per se); Mauldin v. Sheffer, 113 Ga. App. 874, 880 (150 SE2d 150) (1966) (duty imposed by law includes duty imposed by valid statutory enactment of the legislature).

The Bank cites Winter Park Condo. Ltd. Partnership v. Wachovia Bank, N.A., 2009 WL 290992 (M.D. Fla. 2009), for the proposition that the GLBA does not impose upon it a duty to protect its customers’ information. But the court in that case stated otherwise:

Winter Park Condominium . . . asserts that the [GLBA] imposes additional duties upon banks, such as Wachovia, to safeguard their customers’ confidential financial information. While this is true as far as it goes, it is not enough [to support Winter Park’s claim of breach of fiduciary duty], as it does not suggest that the possession of a customer’s confidential information by a bank, standing alone, is enough to establish a fiduciary relationship between the bank and the customer.

(Emphasis supplied.) Id. Thus, Winter Park Condo. Ltd. Partnership concerns a claim of breach of fiduciary duty based on the existence of a fiduciary relationship, not a claim of negligence based upon a duty of care imposed by the GLBA. And we are not persuaded by the Bank’s cite to a federal magistrate court’s report and recommendation, concurred in by the district court in Daniels v. Experian Information Solutions, 2009 WL 1811548 (S.D. Ga. 2009). In concluding that no private right of action existed for alleged violations of the GLBA, the magistrate court relied upon the analysis in Winter Park Condo. Ltd. Partnership, which, as discussed above, did not concern the type of claim presented in this case. Daniels, supra. Moreover, the magistrate court did not address the application of OCGA § 51-1-6. Daniels, supra.

(b) Breach. The Bank argues that allowing a teller access to confidential customer information alone cannot demonstrate a breach of its duty to protect that information under the GLBA, emphasizing that tellers need access to customer information to perform their jobs. We must take as true, however, Jenkins’s allegation that the teller in this case had no need for his information and that her access to it was unnecessary. We also must take as true Jenkins’s allegations that the Bank failed to implement and follow security procedures regarding customer information, failed to protect that information’s confidentiality, failed to guard against its misuse, and failed to detect, report and stop its employee’s suspicious activities regarding customer information. The question is not whether allowing a teller access to customer information alone can demonstrate a breach of the duty to protect that information, but whether allowing a teller unnecessary access to the information, combined with the other alleged failures of the Bank, can demonstrate a breach of the duty to protect that information. The facts alleged by Jenkins were sufficient to support a claim that the Bank breached its duty under theories of both negligence and negligence per se. See generally Groover v. Johnston, 277 Ga. App. 12, 13 (1) (625 SE2d 406) (2005) (discussing elements of negligence per se).

(c) Causation. Jenkins contends that the Bank’s breach of its duty to protect his information proximately caused the theft of his identity, because the teller who improperly obtained the information gave it to her husband, the identity thief. The Bank responds that the acts of its employee and her husband broke the causal chain and precluded its liability as a matter of law.

[Generally, an independent, intervening criminal act of a third party, without which the injury would not have occurred, will be treated as the proximate cause of the injury superseding any negligence of the defendant unless the intervening criminal act is a reasonably foreseeable consequence of the defendant’s negligent act.

(Citations and punctuation omitted; emphasis supplied.) Tucker Fed. Sav. & Loan Assn. v. Balogh, 228 Ga. App. 482, 484 (491 SE2d 915) (1997). But we cannot conclude that as a matter of law the intervening criminal act in this case — the wrongful appropriation and use of Jenkins’s information by an identity thief — was an unforeseeable consequence of the Bank’s alleged breach of its duty to protect that information. See Wachovia Bank of Ga. v. Reynolds, 244 Ga. App. 1, 4 (1) (b) (533 SE2d 743) (2000) (where certificate of deposit account with bank was established by power of attorney with special instructions indicating potential incapacity of depositor, a third party’s theft of depositor’s money after he withdrew it without assistance was not unforeseeable as a matter of law; thus, court did not err in denying motion for directed verdict on claim that bank breached a duty by allowing depositor to withdraw the money unassisted). Compare Tucker Fed. Sav. & Loan Assn., 228 Ga. App. at 484 (bank robber’s act of shooting bystander in parking lot of neighboring store after dye pack hidden among stolen money exploded during robber’s attempted getaway was an intervening proximate cause of bystander’s death; thus, as a matter of law, victim’s death was not proximately caused by bank teller’s act of including dye pack with money during robbery).

2. Breach of a Duty of Confidentiality. Jenkins alleged a separate claim that the Bank “breached [its] implied duty to [him] to keep and maintain his credit and identity information in confidence.” He argues that he had a confidential relationship with the Bank by virtue of the GLBA. We disagree.

OCGA § 23-2-58 provides that

[a]ny relationship shall be deemed confidential, whether arising from nature, created by law, or resulting from contracts, where one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as the relationship between partners, principal and agent, etc.

“Generally, there is no confidential relationship between a bank and its customers,” Savu v. SunTrust Bank, 293 Ga. App. 683, 691 (3) (668 SE2d 276) (2008), and we disagree with Jenkins’s contention that the GLBA created such a confidential relationship as a matter of law. The language of the GLBA does not require such an interpretation, see Winter Park Condo. Ltd. Partnership, and such an interpretation would effectively do away with Georgia’s general rule that the bank-customer relationship is not confidential. Moreover, Jenkins has not pled any special circumstances showing that he had a particular relationship of trust or mutual confidence with the Bank in this case. Cf. Morrell v. Wellstar Health System, 280 Ga. App. 1, 7-8 (5) (633 SE2d 68) (2006) (dismissal of patients’ claim against hospital was proper, where nonprofit hospitals generally have no fiduciary duty to patients with respect to prices charged for medical care, and the plaintiff patients did not claim that there were facts showing a particular relationship of trust or mutual confidence had been created between themselves and the hospital). We find no error in the court’s grant of judgment on the pleadings as to the claim for breach of a duty of confidentiality.

3. Invasion of Privacy.

Under Georgia case law, the concept of invasion of privacy encompasses four loosely related but distinct torts, as follows: (1) intrusion upon the plaintiffs seclusion or solitude, or into his private affairs; (2) public disclosure of embarrassing private facts about the plaintiff; (3) publicity which places the plaintiff in a false light in the public eye; and (4) appropriation for the defendant’s advantage of the plaintiffs name and likeness.

(Citation omitted.) Johnson v. Allen, 272 Ga. App. 861, 863-864 (1) (613 SE2d 657) (2005). Jenkins alleged that the Bank “allowed the intrusion into [his] private facts.” But he did not plead any facts demonstrating that the Bank unreasonably pried or intruded into his private concerns, as required for a claim of invasion of privacy based upon intrusion. See Yarbray v. Southern Bell Tel. &c. Co., 261 Ga. 703, 705 (1) (409 SE2d 835) (1991). Jenkins also alleged that the Bank “allowed the public disclosure of private facts.” But he did not plead any facts demonstrating that the Bank distributed his information to the public at large, as required for a claim of invasion of privacy based on the public disclosure of private facts. See Finnerty, 301 Ga. App. at 571 (3). And Jenkins did not plead any facts demonstrating that the Bank’s employee, the teller, had committed any of these acts in the course of her employment, as required for the Bank to be liable under a theory of respondeat superior; to the contrary, he alleged that the teller’s actions had no connection with the performance of her job responsibilities. See Doe v. Village of St. Joseph, Inc., 202 Ga. App. 614, 616 (1) (415 SE2d 56) (1992) (summary judgment appropriate where undisputed facts showed that employee’s misconduct was personal in nature and unrelated to the performance of his employment duties). We find no error in the trial court’s grant of judgment on the pleadings to the Bank on the invasion of privacy claim.

Decided February 21, 2012

James W Kytle, for appellant.

Womble, Carlyle, Sandridge & Rice, Robert R. Ambler, Jr., John G. Perry, for appellee.

Judgment affirmed in part and reversed in part.

Phipps, P J., and Andrews, J., concur.  