Thomas McConnell filed this class action against the Georgia Department of Labor, alleging several tort claims in connection with the Department's disclosure of personal information of McConnell and the proposed class members. After a hearing, the Superior Court of Cobb County granted the Department's motion to dismiss McConnell's complaint for failure to state a claim upon which relief can be granted. McConnell appealed, and, in McConnell v. Ga. Dept. of Labor , 337 Ga. App. 457 , 787 S.E.2d 794 (2016), we affirmed. The Supreme Court of Georgia granted a writ of certiorari to consider, inter alia, whether this Court erred "in not addressing the trial court's holding that McConnell's tort claims were barred by sovereign immunity, which is a jurisdictional issue, before addressing the merits of those claims." 1 The Supreme Court held that we *793 did err in this manner, vacated our decision, and remanded with direction that we "make the threshold determination of whether the trial court erred in its holding that McConnell's claims are barred by sovereign immunity." McConnell v. Ga. Dept. of Labor , 302 Ga. 18 , 805 S.E.2d 79 (2017). For the reasons explained below in Division 1, we conclude that the trial court did err in so holding and reverse the judgment in relevant part. Because the trial court did not err in dismissing McConnell's complaint on the basis that it fails to state a claim upon which relief can be granted, as explained below in Divisions 2 through 4, we affirm the judgment in part in this regard.

In his complaint, McConnell alleges that a Department employee, while acting within the scope of his official duties or employment, sent an email to approximately 1,000 Georgians who had applied for unemployment benefits or other services administered by the Department. The email included a spreadsheet that listed the name, social security number, home phone number, email address, and age of over 4,000 Georgians who had registered for Department services, including McConnell. 2 McConnell alleges that the employee's conduct constituted the torts of negligently disclosing "personal information" as defined under Georgia law, breach of fiduciary duty, and invasion of privacy (public disclosure of private facts). McConnell seeks economic damages, specifically, out-of-pocket costs related to credit monitoring and identity protection services and damages resulting from the adverse impact to his credit score from the closing of accounts. In addition, he seeks damages for the "fear, upset, anxiety and injury to peace and happiness related to the disclosure of [his] personal identifying information, as the disclosure of personal identifying information had provided all the raw material necessary to facilitate the theft of [his identity] and unauthorized charges upon [his] credit or bank accounts." He does not allege that an act of identity theft has yet occurred.

1. McConnell contends that the trial court erred in holding that the state has not waived its sovereign immunity pursuant to the Georgia Tort Claims Act, OCGA §§ 50-21-20 through 50-21-37, for the type of losses that he alleges in his claims. 3

With regard to tort claims against the state, the General Assembly adopted the Act for the express purpose of "balanc[ing] strict application of the doctrine of sovereign immunity," which, in its breadth, 4 "may produce *794 inherently unfair and inequitable results, against the need for limited exposure of the state treasury to tort liability." (Citation and punctuation omitted.) Bd. of Regents of Univ. Sys. of Ga. v. Myers , 295 Ga. 843 , 845, 764 S.E.2d 543 (2014). 5 Under the Act, the state waives its sovereign immunity with respect to actions brought in Georgia courts "for the torts of state officers and employees while acting within the scope of their official duties or employment and shall be liable for such torts in the same manner as a private individual or entity would be liable under like circumstances[,]" subject to exceptions and limitations set forth in the Act. OCGA § 50-21-23 (a). A "claim" under the Act is defined as "any demand against the State of Georgia for money only on account of loss caused by the tort of any state officer or employee committed while acting within the scope of his or her official duties or employment." OCGA § 50-21-22 (1). OCGA § 50-21-22 (3) provides: " 'Loss' means personal injury; disease; death; damage to tangible property, including lost wages and economic loss to the person who suffered the injury, disease, or death; pain and suffering; mental anguish; and any other element of actual damages recoverable in actions for negligence."

"Because sovereign immunity is not an affirmative defense, but rather a privilege that is subject to waiver by the State, the party seeking to benefit from that waiver has the burden of establishing the waiver of sovereign immunity." (Citations and footnote omitted.) Williams v. Ga. Dept. of Corrections , 338 Ga. App. 719 , 720 (1), 791 S.E.2d 606 (2016). "We review de novo a trial court's denial of a motion to dismiss based on sovereign immunity grounds, which is a matter of law." (Citation and punctuation omitted.) Ga. Dept. of Transp. v. King , 341 Ga. App. 102 , 103, 798 S.E.2d 492 (2017).

(a) Economic damages/financial harm . With regard to McConnell's alleged economic damages, the Department argues that sovereign immunity is waived under the Act only for a "loss" as that term is defined in the Act and that McConnell has not suffered such a loss. Specifically, the Department argues, based on the definition of "loss" in OCGA § 50-21-22 (3), that the Act "expressly limits the recovery of economic damages to a plaintiff who has also suffered a personal injury, disease, death." Because McConnell alleges that he suffered economic damages as a result of the Department's email disclosure, but does not allege that the email disclosure "caused him to suffer a disease, death, or injury to his person[,]" the Department contends, McConnell cannot recover economic losses under the Act.

The Department's strained reading of OCGA § 50-21-22 (3) cannot be supported because the subsection, after giving specific examples of injuries that are actionable, expansively adds "any other element of actual damages recoverable in actions for negligence." In Dept. of Transp. v. Montgomery Tank Lines, Inc. , 276 Ga. 105 , 575 S.E.2d 487 (2003), the Supreme Court of Georgia considered the effect of that "broad last clause in § 50-21-22 (3)" and rejected the agency's proposed narrow reading. Id. at 107-108 (1), 575 S.E.2d 487 . The Supreme Court found that, notwithstanding that the losses specifically listed (personal injury; disease; death; damage to tangible property; pain and suffering; and mental anguish) are all so-called "first-party losses," the "term of enlargement" (that is, the phrase "any other element of actual damages recoverable in actions for *795 negligence") is "specific and unambiguous and requires a broader meaning than that attributed to it" by the agency. Id. at 107 (1), 575 S.E.2d 487 . The Supreme Court explained: "[c]learly, an action for contribution and indemnification is an action for negligence, and the damages that the contribution plaintiffs seek to recover are unquestionably an element of actual damages[.]" Id. at 107 (1), 575 S.E.2d 487 . The Supreme Court found that the concluding phrase of the "loss" definition means that sovereign immunity is not waived only for a person who directly suffers the personal injury, disease, death, or other loss but is broad enough to include claims for contribution and indemnification. Id. at 108 (1), 575 S.E.2d 487 . Furthermore, the Supreme Court concluded, the fact that the waiver of sovereign immunity is subject to specific "exceptions" set forth in OCGA § 50-21-24, and that contribution and indemnity actions are not listed as exceptions, "further buttresses the conclusion that such actions against the State are not categorically precluded by the [Act]." Id.

Similarly, we conclude in this case that the catch-all phrase, "any other element of actual damages recoverable in actions for negligence," requires a broader meaning than that attributed to it by the Department. See Dept. of Transp. v. Montgomery Tank Lines, Inc. , 276 Ga. at 107-108 (1), 575 S.E.2d 487 . The General Assembly certainly could have modified "any other element of actual damages recoverable in actions for negligence" with "sustained by a person who suffered injury, disease, or death" if it had intended to limit the final phrase in this way. 6 Based on the express terms of OCGA § 50-21-22 (3) and the cases cited herein, we conclude that losses under the Act may include economic losses suffered by a plaintiff who has not also suffered a personal injury, disease, or death.

In a related vein, the Department contends that any time, effort, and money that McConnell allegedly spent monitoring his credit is not an actual injury that is recoverable in negligence cases. Acknowledging that Georgia courts have not addressed whether obtaining credit monitoring services after the disclosure of confidential information constitutes a cognizable injury, the Department contends that courts in other jurisdictions have rejected such claims. In addition, the Department contends that McConnell cannot recover for an increased risk of future identity theft because such risk does not constitute an element of actual damages that is recoverable under Georgia law. 7 Because McConnell alleged damages resulting in part from the adverse impact to his credit score from the closing of accounts, we cannot say that he seeks compensation only for credit-monitoring expenses or the risk of future economic damages from identity theft. Whether McConnell can prove that he has suffered financial harm as a result of the adverse impact to his credit score from the closing of accounts is not a question to be resolved at this threshold. See Upper Oconee Basin Water Auth. v. Jackson County , 305 Ga. App. 409 , 412 (1), 699 S.E.2d 605 (2010) ("A motion to dismiss asserting sovereign immunity is based upon the trial court's lack of subject matter jurisdiction, rather than the merits of the plaintiff's claim.") (citation and punctuation omitted); Dept. of Transp. v. Dupree , 256 Ga. App. 668 , 671 (1), 570 S.E.2d 1 (2002) (accord). 8

*796 (b) Mental anguish . With regard to McConnell's claims for damages for his continuing fear and anxiety of potential identity theft in the future, the Department invokes Georgia's so-called "impact rule," arguing that "[t]he 'impact rule' states that '[i]n a claim concerning negligent conduct, a recovery for emotional distress is allowed only where there is some impact on the plaintiff, and that impact must be a physical injury[,]' " quoting Ryckeley v. Callaway , 261 Ga. 828 , 412 S.E.2d 826 (1992). To the extent the Department suggests that the impact rule applies to any claim concerning negligent conduct, this is incorrect. To the contrary, the impact rule applies specifically to claims for negligent infliction of emotional distress. See Coon v. Medical Center, Inc. , 300 Ga. 722 , 734 (4), 797 S.E.2d 828 (2017) ; Bruscato v. O'Brien , 307 Ga. App. 452 , 457 (1), 705 S.E.2d 275 (2010), aff'd, 289 Ga. 739 , 715 S.E.2d 120 (2011) ; Clarke v. Freeman , 302 Ga. App. 831 , 836 (1), 692 S.E.2d 80 (2010) ; Charles R. Adams, Ga. Law of Torts § 29:2 (b) (updated December 2017). The Department has not shown that Georgia law requires proof that a plaintiff suffered a physical impact and a physical injury in order to recover for the claims McConnell alleges-negligent disclosure of personal information, invasion of privacy, and breach of fiduciary duty-even where the alleged damages include emotional harm.

Having found no merit in any of the Department's arguments, as explained above, we conclude that McConnell carried his burden of showing that the trial court had subject matter jurisdiction over his claims for negligently disclosing personal information, breach of fiduciary duty, and invasion of privacy, which are tort claims that are not excepted from the waiver of sovereign immunity for tort claims pursuant to the Act, 9 and which are based on the conduct of state officers and employees while acting within the scope of their official duties or employment. Accordingly, the trial court erred in granting the Department's motion to dismiss McConnell's claims on the basis of the bar of sovereign immunity. The judgment is therefore reversed in relevant part. McCoy v. Ga. Dept. of Admin. Svcs. , 326 Ga. App. 853 , 858, 755 S.E.2d 362 (2014) ; Williamson v. Dept. of Human Resources , 258 Ga. App. 113 , 116 (1), 572 S.E.2d 678 (2002) ; McCrary Engineering Corp. v. City of Bowdon , 170 Ga. App. 462 , 466 (1), 317 S.E.2d 308 (1984).

Because the threshold issue of sovereign immunity is decided in favor of the trial court having had subject matter jurisdiction, we must again consider the merits of McConnell's claims.

2. McConnell contends that the trial court erred in ruling that he failed to state a claim for negligent disclosure of personal information, based, inter alia, on its determination that as a matter of law "there is no legal duty [under Georgia law] to safeguard personal information."

[A] motion to dismiss for failure to state a claim upon which relief may be granted should not be sustained unless (1) the allegations of the complaint disclose with certainty that the claimant would not be entitled to relief under any state of provable facts asserted in support thereof; and (2) the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought. If, within the framework of the complaint, evidence may be introduced which will sustain a grant of the relief sought by the claimant, the complaint is sufficient and a motion to dismiss should be denied. In deciding a motion to dismiss, all pleadings are to be construed most favorably to the party who filed them, and all doubts regarding such pleadings must be resolved in the filing party's favor. On appeal, a trial court's ruling on a motion to dismiss for failure to state a claim for which relief may be granted is reviewed de novo.

*797 (Citation and punctuation omitted.) RES-GA McDonough, LLC v. Taylor English Duma LLP , 302 Ga. 444 , 807 S.E.2d 381 (2017).

In order to have a viable negligence action, a plaintiff must satisfy the elements of the tort, namely, the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty. The legal duty is the obligation

to conform to a standard of conduct under the law for the protection of others against unreasonable risks of harm. This legal obligation to the complaining party must be found, the observance of which would have averted or avoided the injury or damage; the innocence of the plaintiff is immaterial to the existence of the legal duty on the part of the defendant in that the plaintiff will not be entitled to recover unless the defendant did something that it should not have done, i.e., an action, or failed to do something that it should have done, i.e., an omission, pursuant to the duty owed the plaintiff under the law. The duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the caselaw. The existence of a legal duty is a question of law for the court.

(Citations and punctuation omitted.) Rasnick v. Krishna Hospitality, Inc. , 289 Ga. 565 , 566-567, 713 S.E.2d 835 (2011). 10

McConnell contends that a common law duty exists to safeguard and protect the personal information of another and argues that OCGA §§ 10-1-393.8 and 10-1-910 help establish the duty of care to be exercised by those who collect or hold personal information. In OCGA §§ 10-1-910, the General Assembly set out legislative findings underlying the Georgia Personal Identity Protection Act, OCGA §§ 10-1-910 through 10-1-915 (the "GPIPA"), enacted in 2005. 11 In the GPIPA, the General Assembly found, inter alia, that "[t]he privacy and financial security of individuals is increasingly at risk, due to the ever more widespread collection of personal information by both the private and public sectors[,]" that "[i]dentity theft is one of the fastest growing crimes committed in this state[,]" and that "[i]dentity theft is costly to the marketplace and to consumers[.]" OCGA § 10-1-910 (1), (6). Because "[v]ictims of identity theft must act quickly to minimize the damage[,] ... expeditious notification of *798 unauthorized acquisition and possible misuse of a person's personal information is imperative." OCGA § 10-1-910 (7). In line with these findings, the GPIPA requires that affected persons be given certain notice of a data breach and the right and ability to place a security freeze on their credit report. 12 McConnell contends that in codifying these findings the General Assembly demonstrated its intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information. Notably, however, despite the General Assembly's aspirational recognition of the harm caused by identity theft, the GPIPA does not proscribe any conduct in storing data or protecting data security. Rather the GPIPA proscribes particular conduct, that is, notification and the placement of a security freeze, only after a (known or suspected) data security breach has occurred. Because the GPIPA does not impose any standard of conduct in implementing and maintaining data security practices, we conclude that it can not serve as the source of a general duty to safeguard personal information. Wells Fargo Bank, N.A. v. Jenkins , 293 Ga. 162 , 165, 744 S.E.2d 686 (2013). 13

Similarly, we conclude that OCGA § 10-1-393.8, which is part of the Fair Business Practices Act of 1975 (the "FBPA") as amended, 14 can not serve as the source of such a general duty to safeguard and protect the personal information of another. That Code section provides that, except as otherwise provided, "a person, firm, or corporation shall not: ... [p]ublicly post or publicly display in any manner an individual's social security number.... '[P]ublicly post' or 'publicly display' means to intentionally communicate or otherwise make available to the general public[.]" OCGA § 10-1-393.8. As the trial court noted in the appealed order, the FBPA expressly prohibits intentionally communicating a person's social security number, while McConnell alleges that the Department negligently disseminated his SSN by failing "to take the necessary precautions required to safeguard and protect the personal information from unauthorized disclosure." Although the FBPA imposes a standard of conduct to refrain from intentionally and publicly posting or displaying SSNs, 15 a legal *799 duty to refrain from doing something intentionally is not equivalent to a duty to exercise a degree of care to avoid doing something unintentionally, which falls within the ambit of negligence. The trial court correctly concluded that McConnell's complaint is premised on a duty of care to safeguard personal information that has no source in Georgia statutory law or caselaw and that his complaint therefore failed to state a claim of negligence. Diamond v. Dept. of Transp. , 326 Ga. App. 189 , 195-196 (2), 756 S.E.2d 277 (2014).

Given the General Assembly's stated concern about the cost of identity theft to the marketplace and to consumers, as well as the fact that it created certain limited duties with regard to personal information (e. g., the duty to notify affected persons of data breaches and the duty not to intentionally communicate information such as SSNs to the general public), it may seem surprising that our legislature has so far not acted to establish a standard of conduct intended to protect the security of personal information, as some other jurisdictions have done in connection with data protection and data breach notification laws. 16 It is beyond the scope of judicial authority, however, to move from aspirational statements of legislative policy to an affirmative legislative enactment sufficient to create a legal duty. 17

*800 3. McConnell contends that the trial court erred in dismissing his breach of fiduciary duty claim for failure to state a claim upon which relief can be granted based on its determination that he had not shown that he had a particular relationship of trust or mutual confidence with the Department. "Establishing a claim for breach of fiduciary duty requires proof of three elements: (1) the existence of a fiduciary duty; (2) breach of that duty; and (3) damage proximately caused by the breach." (Citation and punctuation omitted.) Wells Fargo Bank, N.A. v. Cook , 332 Ga. App. 834 , 842 (1), 775 S.E.2d 199 (2015). "Any relationship shall be deemed confidential, whether arising from nature, created by law, or resulting from contracts, where one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as the relationship between partners, principal and agent, etc." OCGA § 23-2-58.

McConnell argues that, because a fiduciary relationship, in addition to being created by statute or contract, may also be created by the facts of a particular case, a claim for breach of fiduciary duty is uniquely unsuitable for disposition via a motion to dismiss, when the plaintiff has not been able to conduct discovery. 18 In his complaint, McConnell alleged that a fiduciary duty arose when the Department required him to disclose confidential personal identification information in order to obtain services or benefits from the Department and that he reasonably placed his trust and confidence in the Department to safeguard and protect his information from public disclosure. He contends that the Department was "so situated as to exercise a controlling influence over ... [his] interest" because, unless he provided his personal information to the Department, he would not receive unemployment benefits, resulting in a fiduciary relationship.

In a recent case, a bank employee gave a customer's information to the employee's husband, which allowed her husband to steal the customer's identity. Jenkins v. Wachovia Bank, N.A. , 314 Ga. App. 257 , 724 S.E.2d 1 (2012), reversed in part on other grounds sub nom. Wells Fargo Bank, N.A. v. Jenkins , 293 Ga. 162 , 744 S.E.2d 686 (2013), and opinion vacated in part, 325 Ga. App. 376 , 752 S.E.2d 633 (2013). The customer sued the bank, asserting claims that the bank negligently failed to protect his personal information, breached a duty of confidentiality, and invaded his privacy. 314 Ga. App. at 257 , 724 S.E.2d 1 . The customer alleged that the bank "falsely represented to its customers and members of the general public that it created and implemented a system to adequately protect the private and personal identifying information entrusted to it by its customers[.]" Id. Noting that the bank-customer relationship generally is not a confidential relationship under Georgia law, this Court held that the plaintiff had not pled "any special circumstances showing that he had a particular relationship of trust or mutual confidence with [the bank]." Id. at 262 (2), 724 S.E.2d 1 . 19 ln other words, the fact that the plaintiff gave the bank his personal information *801 to receive services, and the bank promised to protect this information, did not create a confidential relationship under Georgia law.

McConnell contends that commercial relationships like the bank-customer relationship at issue in Jenkins v. Wachovia Bank, N.A. are fundamentally different from the relationship between him and the Department, given that a customer can choose another bank while a citizen like him, in order to obtain unemployment benefits, has no choice but to comply with the Department's demand to provide personal information. McConnell failed to identify any context, however, in which a fiduciary relationship has been deemed to arise between a citizen and an agency, based on a theory that the agency's status as a gatekeeper for government benefits places the agency in a position so as to exercise a controlling influence over the citizen's interest. This argument fails.

4. McConnell contends that the trial court erred in ruling that he failed to state a claim upon which relief can be granted for invasion of privacy, public disclosure of private facts, based, inter alia, on its determination that the elements of that tort cannot be satisfied unless the facts at issue are embarrassing private facts. McConnell argues that

Georgia law recognizes a variety of information as private and not subject to public disclosure, including certain financial and banking records, medical records, certain police records (particularly records of juvenile crime) and records related to status as a victim of a crime (particularly sexual assault). The law recognizes a claim for unauthorized disclosure of private information in these circumstances.

Under Georgia law,

there are four disparate torts under the common name of invasion of privacy. These four torts may be described briefly as: (1) intrusion upon the plaintiff's seclusion or solitude, or into his private affairs; (2) public disclosure of embarrassing private facts about the plaintiff; (3) publicity which places the plaintiff in a false light in the public eye; and (4) appropriation, for the defendant's advantage, of the plaintiff's name or likeness.

(Citation and punctuation omitted.) Bullard v. MRA Holding, LLC , 292 Ga. 748 , 751-752 (2), 740 S.E.2d 622 (2013). There are at least three necessary elements for recovery for

[p]ublic disclosure of embarrassing private facts about the plaintiff[,] ...: (a) the disclosure of private facts must be a public disclosure; (b) the facts disclosed to the public must be private, secluded or secret facts and not public ones; (c) the matter made public must be offensive and objectionable to a reasonable man of ordinary sensibilities under the circumstances.

Cabaniss v. Hipsley , 114 Ga. App. 367 , 372 (2), 151 S.E.2d 496 (1966). See also Thomason v. Times-Journal , 190 Ga. App. 601 , 604 (4), 379 S.E.2d 551 (1989) (accord).

In Cumberland Contractors, Inc. v. State Bank & Trust Co. , the plaintiffs claimed that the defendant bank's publication of their social security numbers could result in identify theft, credit card fraud, and other offenses that might damage them personally and financially. We held that such allegations

do not fall within the causes of action for invasion of privacy because there is no allegation that [the defendant] (1) intruded

into the [plaintiffs'] seclusion, (2) disclosed embarrassing private facts, (3) depicted the [plaintiffs] in a false light, or (4) appropriated the [plaintiffs'] name or likeness for [the defendant's] own advantage.

Cumberland Contractors, Inc. v. State Bank & Trust Co. , 327 Ga. App. 121 , 126 (2) (a), 755 S.E.2d 511 (2014). As a result, we held, the trial court properly dismissed the plaintiffs' claim for invasion of privacy for failure to state a claim for relief under Georgia law. Id. The trial court in this case properly dismissed McConnell's invasion of privacy claim for the same reason. Id. ; Jenkins v. Wachovia Bank, N.A. , 314 Ga. App. at 262-263 (3), 724 S.E.2d 1 20 ; Cabaniss v. Hipsley , 114 Ga. App. at 372 (2), 151 S.E.2d 496 .

*802 Judgment affirmed in part and reversed in part.

Senior Appellate Judge Herbert E. Phipps, concurs and Mercier, J., concurs specially in Division 1 and concurs fully in Divisions 2,3 and 4.*

*DIVISION 1 OF THIS OPINION IS PHYSICAL PRECEDENT ONLY. COURT OF APPEALS RULE 33.2 (a).

Mercier, Judge, concurring specially.

I concur specially with the majority's holding in Division 1. While I believe that the majority's adherence to and analysis of Department of Transp. v. Montgomery Tank Lines, Inc. , 276 Ga. 105 , 575 S.E.2d 487 (2003) is correct, I am concerned about the continued viability of Montgomery Tank Lines in light of the Supreme Court's recent decisions in Lathrop v. Deal , 301 Ga. 408 , 801 S.E.2d 867 (2017) and Georgia Department of Nat. Resources v. Center for a Sustainable Coast , Inc ., 294 Ga. 593 , 755 S.E.2d 184 (2014). However, any tension that may exist among these cases is not for this Court to resolve. I am constrained to agree with the majority's holding in Division 1. Therefore, I concur specially in Division 1. I concur fully in Divisions 2, 3 and 4.