Georgia data breach lawsuit dismissed after plaintiffs say it worked

A class-action lawsuit alleging a massive data breach by the Georgia Secretary of State's Office has been dismissed at the request of the plaintiffs, after they said it accomplished their goal of forcing the state to acknowledge the personal data of more than 6 million registered voters had been exposed.

“From our perspective, the lawsuit has done exactly what we wanted it to do,” said attorney Jennifer Jordan, who represented Elise Piper and Yvette Sanders in the suit which they filed in November in Fulton County Superior Court. “We just want to make sure this doesn’t happen again.”

Although the breach occurred Oct. 13, the Secretary of State’s Office said it didn’t find out about it until Nov. 13. It also didn’t publicly disclose it until Nov. 18, after The Atlanta Journal-Constitution wrote about the lawsuit alleging a massive breach within the office.

“We were pleased to learn of the dismissal,” David Dove, the office’s chief of staff and legal counsel, said in a statement Monday. “Enrollment for credit monitoring will continue to be open until Feb. 14, and all affected voters are covered by identity theft restoration services.”

The state hired Austin, Texas-based data protection company CSID last month to provide voters a year of free credit and identity theft monitoring services, costing the state $1.2 million. Georgia voters whose data were exposed in the breach are additionally eligible for identity theft restoration services if their identity is compromised over the next year.

To sign up for the services, go to www.csid.com/gasos/.

The personal data released in the breach — including Social Security numbers, birth dates and driver’s license numbers — appear to have been inadvertently sent to 12 organizations that regularly subscribed to “voter lists” maintained by the state.

The groups receiving the data — delivered via compact discs — included state political parties, news media organizations and Georgia GunOwner Magazine.

Secretary of State Brian Kemp has said all 12 data discs have either been recovered or destroyed. Kemp has blamed the actions of a single employee, whom he fired after the breach became public. But records reviewed by the AJC showed the problem was deeper than he has acknowledged, revealing a business culture that ignored written policies for the sake of expediency.

The state agency has published on its website an official notice of the breach as required by state law, and it has staffed a hotline about the breach at 404-654-6045. But some voters said the state needed to be more proactive about telling voters that monitoring was available.