Welltec Defense
Uncategorized
8 min read

Georgia Just Forced Cybersecurity Liability Onto Every Company in the US

March 13, 2026 By Al Kao

Here is the story of how the state of Georgia just forced Cybersecurity Liability onto every company operating in the United States and made class-action lawsuits for data breaches much easier. How must companies now protect themselves?

In October 2025, the Georgia Court of Appeals handed down a decision in the case Bland v. Urology of Greater Atlanta, that ruled companies owe a “Duty of Care” to safeguard personal data against foreseeable risks.

Previously, companies could hide behind tort laws that protected them from liability. Generally, companies could defend data breaches with a “No Harm, No Foul” defense and force victims to prove a negative impact as a result of the data breach. 

What the Georgia ruling does is hold companies accountable not just for the data, but the protection of the data. In other words, if the data is not reasonably protected with IT and cybersecurity, a company in Georgia or based in Georgia, or with regional operations in Georgia can be sued and held liable.

What Happened in Bland v. Urology of Atlanta?

The case began after a 2021 data breach at Urology of Greater Atlanta (UGATL), which exposed the sensitive data of over 79,000 patients and employees.

Names, Social Security numbers, dates of birth – all PII – and highly sensitive medical information were stolen.  

The plaintiffs, Michael Bland and Cathy Kreider, alleged that their data ended up on the “dark web” and that they had already experienced actual identity theft and out-of-pocket expenses.  

Initially, a lower court dismissed the case, essentially ruling the plaintiffs had not proved that the medical practice had a “legal duty” to keep that data safe under Georgia’s specific tort laws, or that the “risk” of future harm was enough to sue.  

However, on October 6, 2025, the Georgia Court of Appeals reversed that dismissal. The court’s decision changed critical legal standards that essentially can open the flood gate for future class action lawsuits over data breaches.

Court Ruling That Changes Cybersecurity Liability

Recognition of “Duty of Care”: 

For the first time, the court explicitly recognized that companies in Georgia owe a legal duty to protect personally identifiable information (PII) against foreseeable risks. If a company knows hackers exist (which they all do) and doesn’t use reasonable security – or reasonable “cybersecurity” –  they are now legally “negligent.”

“Information and Belief” is Enough:

The court ruled that victims don’t need a “smoking gun” (like a leaked internal email admitting to bad security) to start a lawsuit. They can sue based on “information and belief” that security was inadequate because a breach occurred.  

Imminent Risk as Injury: 

The court held that the high risk of identity theft following a breach—especially when data is confirmed to be on the dark web—is a “cognizable injury.” You don’t have to wait for your bank account to be drained before you have the right to sue. 

What Does This Mean for Companies and Cybersecurity?

The court’s ruling changes and lowers the threshold for class action lawsuits over data breaches. Victims no longer need to prove financial damage, or prove with a smoking gun evidence that cybersecurity was inadequate. Furthermore, companies in Georgia now must guard PII like cash with proper security. If any bit of cybersecurity is inadequate, the company can be sued.

How Does a Georgia Case Have National Impact?

While technically a Georgia-only case, the Bland ruling can serve as the blueprint for future laws and similar lawsuits in other states.

Georgia and the Atlanta area is also a major hub with numerous companies placing headquarters or regional offices in the metro area – which also means they are subject to this ruling.

National lawmakers and agencies (like the FTC and SEC) often look to state appellate rulings to justify new federal cybersecurity mandates. The Bland standard is currently the most 

aggressive definition of “Reasonable Effort” in the U.S.

What Must Companies Do to Safeguard Their Cybersecurity?

  1. Be sure to have cybersecurity in place – cyber attacks will happen, so doing your best to prevent them is step 1
    • Multi-factor Authorization: MFAs are an early cybersecurity measure to prevent cyber attack breaches
    • Continuous Monitoring: 24/7 monitoring to detect threats in real-time
  2. Be sure to secure your data – if attackers get past your cyber defenses, make it difficult for them to steal your data
    • Zero-Trust Architecture: silo your systems and networks to make it hard for attackers to move from one area to another in your network
    • Encrypted Backups: Ensuring that even if you are hit, your data (and your liability) remains protected.
  3. Third-Party Audits: Keep documentation of “Reasonable Effort” so you have a “Safe Harbor” defense ready if you ever have to defend against a lawsuit.

With this recent Georgia Appellate court ruling for Bland, “standard IT security” or even minimal cybersecurity may not be enough against a lawsuit. Cyber attacks will happen and in the age of AI, cyber attacks can happen agentically. Preventing attacks is step 1. Preventing data breaches and data being stolen is step 2. Documentation of your cybersecurity efforts gives you extra protection.

Welltec Defense Cybersecurity

Welltec Defense offers comprehensive IT and cybersecurity solutions to help ensure your company is protected with documented cybersecurity measures. Whether you need to secure your IT infrastructure, connect your IT and cybersecurity processes into one efficient system, or need encrypted backups and SOC monitoring, Welltec Defense is ready to help your firm.

Source Citations & Reference List

  • Bland v. Urology of Greater Atlanta, LLC, No. A25A1133, 2025 WL 2826837 (Ga. Ct. App. Oct. 6, 2025).
  • Official Code of Georgia Annotated (O.C.G.A.) § 10-1-910 et seq. (Georgia Personal Identity Protection Act).
  • Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 837 S.E.2d 310 (2019).
  • Department of Justice v. Georgia Tech Research Corp., (N.D. Ga. 2024).
  • Legislation & Regulatory Updates
  • Georgia Senate Bill 111 (2025-2026 Session): Georgia Consumer Privacy Protection Act Georgia Senate Bill 68 (2025): Tort Reform Legislation.
  • NIST Cybersecurity Framework (CSF) 2.0: The industry standard used by Georgia courts to define “Reasonable Effort” and “Due Care” in cybersecurity infrastructure.
  • CIS (Center for Internet Security) Critical Security Controls: Often cited by cyber insurance carriers as the minimum baseline for insurability and “foreseeable risk” mitigation.