McFADDEN, Judge.
Stephen Kale Jenkins brought a tort action against Wachovia Bank, N.A., Wells Fargo Bank, N.A., and all predecessor and successor entities and John Doe corporations (collectively, the "Bank"), in which he alleged that a Bank teller had improperly accessed Jenkins's confidential information and given it to her husband, allowing the husband to steal Jenkins's identity. Pertinent to this appeal, Jenkins asserted claims that the Bank negligently failed to protect the information, breached a duty of confidentiality, and invaded his privacy. The trial court granted the Bank's motion for judgment on the pleadings. Because the well-pleaded allegations of Jenkins's complaint, taken as true, establish the elements of his negligence claim, we reverse the judgment on the pleadings as to that claim. Because Jenkins fails to assert in his complaint facts showing that the Bank owed him a confidential duty or invaded his privacy, we affirm the judgment on the pleadings as to the remaining claims.
A motion for judgment on the pleadings should be granted only if the moving party is clearly entitled to judgment. Sherman v. Fulton County Bd. of Assessors, 288 Ga. 88, 90, 701 S.E.2d 472 (2010). "[A]ll well-pleaded material allegations of the opposing party's pleading are to be taken as true, and all allegations of the moving party which have been denied are taken as false." (Citation and punctuation omitted.) Id. We
Construed in favor of Jenkins, the complaint contained the following allegations. Jenkins was a former customer of a financial institution acquired by the Bank, and the Bank maintained records containing his confidential information. The Bank "falsely represented to its customers and members of the general public that it created and implemented a system to adequately protect the private and personal identifying information entrusted to it by its customers and by customers of acquired financial institutions." A Bank teller "who had no need, business or otherwise[,] to any of [Jenkins's information], was nevertheless granted access to [that] information" by the Bank. The teller gave the information to her husband, whose last name also was "Jenkins" and who used the information to steal Jenkins's identity. This damaged his credit, hindered his efforts to obtain loans, required him to spend "enormous amounts of time and energy trying to correct false credit reports," and caused him emotional injury.
In granting judgment on the pleadings to the Bank, the trial court concluded that
1. Negligence. "In order to have a viable negligence action, a plaintiff must satisfy the elements of the tort, namely, the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty." (Citation omitted.) Rasnick v. Krishna Hospitality, 289 Ga. 565, 566, 713 S.E.2d 835 (2011). Jenkins argues that the facts alleged in his complaint demonstrate all of these elements, while the Bank contends that as a matter of law Jenkins cannot show that the Bank owed him a duty, that it breached that duty, or that any such breach caused the theft of his identity. As detailed below, we agree with Jenkins that the allegations of his complaint, taken as true, present a negligence claim, and that the trial court thus erred in granting judgment on the pleadings to the Bank as to this claim.
(a) Existence of a duty. In a negligence action, "[t]he legal duty is the obligation to conform to a standard of conduct under the law for the protection of others against unreasonable risks of harm.... The duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the case law." (Citations omitted.) Rasnick, 289 Ga. at 566-567, 713 S.E.2d 835. As explained below, we agree with Jenkins that the Gramm-Leach-Bliley Act ("GLBA"), 15 USC § 6801 et seq., imposed a legal duty upon the Bank to protect Jenkins's confidential personal information.
The GLBA provides in pertinent part that "[i]t is the policy of the Congress that each financial institution has an affirmative and continuing obligation ... to protect the security and confidentiality of [its] customers' nonpublic personal information." 15 USC § 6801(a). Although the GLBA does not create a private right of action for a violation of its terms, Finnerty v. State Bank & Trust Co., 301 Ga.App. 569, 570(2), 687 S.E.2d 842 (2009), its plain language states that financial institutions have a duty to protect certain information of their customers. And OCGA § 51-1-6 authorizes a plaintiff to recover damages for the breach of a legal duty even when that duty arises from a statute that does not provide a private cause of action. See Landis v. Rockdale County, 206 Ga.App. 876, 879(2), 427 S.E.2d 286 (1992) (OCGA § 51-1-6 does not create a legal duty but defines a tort and authorizes damages when a legal duty is breached). OCGA § 51-1-6 states, "[w]hen the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party
The Bank cites Winter Park Condo. Ltd. Partnership v. Wachovia Bank, N.A., 2009 WL 290992 (M.D.Fla.2009), for the proposition that the GLBA does not impose upon it a duty to protect its customers' information. But the court in that case stated otherwise:
(Emphasis supplied.) Id. Thus, Winter Park Condo. Ltd. Partnership concerns a claim of breach of fiduciary duty based on the existence of a fiduciary relationship, not a claim of negligence based upon a duty of care imposed by the GLBA. And we are not persuaded by the Bank's cite to a federal magistrate court's report and recommendation, concurred in by the district court in Daniels v. Experian Information Solutions, 2009 WL 1811548 (S.D.Ga.2009). In concluding that no private right of action existed for alleged violations of the GLBA, the magistrate court relied upon the analysis in Winter Park Condo. Ltd. Partnership, which, as discussed above, did not concern the type of claim presented in this case. Daniels, supra. Moreover, the magistrate court did not address the application of OCGA § 51-1-6. Daniels, supra.
(b) Breach. The Bank argues that allowing a teller access to confidential customer information alone cannot demonstrate a breach of its duty to protect that information under the GLBA, emphasizing that tellers need access to customer information to perform their jobs. We must take as true, however, Jenkins's allegation that the teller in this case had no need for his information and that her access to it was unnecessary. We also must take as true Jenkins's allegations that the Bank failed to implement and follow security procedures regarding customer information, failed to protect that infonuation's confidentiality, failed to guard against its misuse, and failed to detect, report and stop its employee's suspicious activities regarding customer information. The question is not whether allowing a teller access to customer information alone can demonstrate a breach of the duty to protect that information, but whether allowing a teller unnecessary access to the information, combined with the other alleged failures of the Bank, can demonstrate a breach of the duty to protect that information. The facts alleged by Jenkins were sufficient to support a claim that the Bank breached its duty under theories of both negligence and negligence per se. See generally Groover v. Johnston, 277 Ga.App. 12, 13(1), 625 S.E.2d 406 (2005) (discussing elements of negligence per se).
(c) Causation. .Jenkins contends that the Bank's breach of its duty to protect his information proximately caused the theft of his identity, because the teller who improperly obtained the information gave it to her husband, the identity thief. The Bank responds that the acts of its employee and her husband broke the causal chain and precluded its liability as a matter of law.
(Citations and punctuation omitted; emphasis supplied.) Tucker Fed. Sav. & Loan Assn. v. Balogh, 228 Ga.App. 482, 484, 491 S.E.2d 915 (1997). But we cannot conclude that as a matter of law the intervening criminal act in this case—the wrongful appropriation and use of Jenkins's information by an identity thief—was an unforeseeable consequence of the Bank's alleged breach of its duty to protect that information. See Wachovia Bank of Ga. v. Reynolds, 244 Ga.App. 1, 4(l)(b), 533 S.E.2d 743 (2000) (where certificate of deposit account with bank was established by power of attorney with special instructions indicating potential incapacity of depositor, a third party's theft of depositor's money after he withdrew it without assistance was not unforeseeable as a matter of law; thus, court did not err in denying motion for directed verdict on claim that bank breached a duty by allowing depositor to withdraw the money unassisted). Compare Tucker Fed. Sav. & Loan Assn., 228 Ga.App. at 484, 491 S.E.2d 915 (bank robber's act of shooting bystander in parking lot of neighboring store after dye pack hidden among stolen money exploded during robber's attempted getaway was an intervening proximate cause of bystander's death; thus, as a matter of law, victim's death was not proximately caused by bank teller's act of including dye pack with money during robbery).
2. Breach of a Duty of Confidentiality. Jenkins alleged a separate claim that the Bank "breached [its] implied duty to [him] to keep and maintain his credit and identity information in confidence." He argues that he had a confidential relationship with the Bank by virtue of the GLBA. We disagree.
OCGA § 23-2-58 provides that
"Generally, there is no confidential relationship between a bank and its customers," Savu v. SunTrust Bank, 293 Ga.App. 683, 691(3), 668 S.E.2d 276 (2008), and we disagree with Jenkins's contention that the GLBA created such a confidential relationship as a matter of law. The language of the GLBA does not require such an interpretation, see Winter Park Condo. Ltd. Partnership, and such an interpretation would effectively do away with Georgia's general rule that the bank-customer relationship is not confidential. Moreover, Jenkins has not pled any special circumstances showing that he had a particular relationship of trust or mutual confidence with the Bank in this case. Cf. Morrell v. Wellstar Health System, 280 Ga.App. 1, 7-8(5), 633 S.E.2d 68 (2006) (dismissal of patients' claim against hospital was proper, where nonprofit hospitals generally have no fiduciary duty to patients vrith respect to prices charged for medical care, and the plaintiff patients did not claim that there were facts showing a particular relationship of trust or mutual confidence had been created between themselves and the hospital). We find no error in the court's grant of judgment on the pleadings as to the claim for breach of a duty of confidentiality.
(Citation omitted.) Johnson v. Allen, 272 Ga.App. 861, 863-864(1), 613 S.E.2d 657 (2005). Jenkins alleged that the Bank "allowed the intrusion into [his] private facts." But he did not plead any facts demonstrating that the Bank unreasonably pried or intruded into his private concerns, as required for a claim of invasion of privacy based upon intrusion. See Yarbray v. Southern Bell Tel., etc..
Judgment affirmed in part and reversed in part.
PHIPPS, P.J., and ANDREWS, J., concur.