If they have not already, employers should take steps now to properly protect the personal information of their employees. The Eleventh Circuit Court of Appeals’ decision in Ramirez v. Paradies Shops, LLC clarifies that employers have a special relationship with their employees and as such owe a duty to their employees to protect the personal information collected as a result of their status as employees. 69 F.4th 1213 (11th Cir. 2023). Because businesses are required to collect personal information, including sensitive personal information, in order to meet their obligations under various tax and business laws, businesses must be conscious of the need to implement measures to properly protect this data.
In October 2020, Paradies Shops, LLC found itself in the unenviable position of many organizations, the victim of a ransomware attack. Also like many other ransomware victims, Paradies Shops found itself the defendant in a class action lawsuit claiming that it breached its duties to employees and former employees by failing to protect their data from and during a ransomware attack. However, unlike many victims before it, Paradies Shops was not able to side-step the litigation on a motion to dismiss. While the District Court dismissed the complaint for failure to state a claim, the Eleventh Circuit found that Carlos Ramirez, a former employee, presented allegations sufficient to survive the motion to dismiss for a claim of negligence. The Eleventh Circuit specifically stated that Georgia's tort law was sufficiently flexible to conclude Ramirez properly pleaded the claim. So what made Ramirez's complaint different from others that were dismissed?
Mr. Ramirez worked for Hojeij Branded Foods for seven years, ending in 2014. At some point prior to October 2020, Hojeij was acquired by Paradies Shops, and Hojeij's employee database became the property of Paradies Shops. As part of his employment, Mr. Ramirez provided his employer with his social security number and other personally identifiable information, just as most employees are required to do when starting a new job.
In October 2020, Paradies Shops suffered a ransomware attack, and its investigation revealed that the threat actor had uploaded one or more files containing names and social security numbers of the employees and former employees in its database.
In early 2021, Ramirez learned that his social security number had been used to file a fraudulent COVID unemployment compensation claim. A few months thereafter (and several months after Paradies Shops' ransomware attack), Ramirez received notice from Paradies Shops that his social security number was one that had been acquired by the threat actor during the ransomware attack. Shortly after receiving notice from Paradies Shops, Mr. Ramirez, on behalf of a class, sued Paradies Shops for negligence and breach of implied contract.
The complaint noted that Paradies Shops operated retail stores and restaurants, mostly in airports in the United States and Canada, and that Paradies Shops employs more than 10,000 people, which the Court found demonstrated Paradies Shops was not a small business. At the time of the ransomware attack, Paradies Shops' database had names and social security numbers of more than 76,000 current and former employees. That database was not encrypted and was accessible via the Internet.
Considering whether or not the complaint survived a motion to dismiss, the Eleventh Circuit quoted the requirement from Fed. R. Civ. P. 8 (a)(2) that a complaint contain a "short and plain statement of the claim showing that the pleader is entitled to relief," and case law requiring Ramirez "plead all facts establishing an entitlement to relief with more than 'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action.'" In that context, the Eleventh Circuit then reviewed Georgia's standard for a negligence claim.
In Georgia, a Plaintiff must show that the defendant had a duty that was breached, that there is causation between the breached duty and alleged injury, and the damage resulted from the breach of the duty. Ramirez, 69 F.4th 1213 (citing Rasnick v. Krishna Hosp, Inc., 713 S.E.2d 835, 837 (Ga. 2011)). The Court specifically stated that it was not applying a "new, judicially-created duty" but it is necessary to be flexible when applying existing standards.
Reviewing Georgia case law, the Eleventh Circuit stated that defendants who are responsible for the plaintiffs' situation owe a duty to provide assistance. However, the Court also stated that when there is a special relationship, such as between an employer and employee, social policy justifies the imposition of a duty for the employer to assist the employee.
The duty is limited to damages that should be anticipated. Paradies Shops argued that the injury from the ransomware attack was the result of a third-party criminal action that was not foreseeable, which the Eleventh Circuit acknowledged. However, the Court also noted that if the third-party attack could have been anticipated, the criminal act does not insulate the defendant from liability.
The complaint alleged that Paradies failed to encrypt the database and failed to meet industry standards for cyber-security. It also alleged that given the nature of Paradies Shops' business, the frequency of ransomware attacks, as indicated by industry warnings, and Paradies Shops' poor security posture, the ransomware attack could have been anticipated.
The Eleventh Circuit determined common sense indicated that Paradies Shops should have known a company of its size could be a target of a cyber-attack. "Given that foreseeability, Paradies is not shielded from liability by the intervening criminal act of the cybercriminals." Ramirez, 69 F.4th at 1220. Acknowledging that foreseeability of the attack is usually a question for the jury, the Eleventh Circuit noted that, without discovery, Plaintiffs have only the information the Defendant has given them about the incident, and that a Defendant has good reason to keep many details of the incident confidential, one of which is to maintain system security.
The Eleventh Circuit agreed that although a duty or lack thereof in this case "may well be better resolved by the legislative process," the complaint sufficiently alleges a duty that can be supported under Georgia tort law in a manner that is sufficient to survive a motion to dismiss. Ramirez, 69 F.4th at 1221 (citing Collins, 837 S.E. 2d at 316, n.7). In reaching that conclusion, the Eleventh Circuit also states that that "[g]etting past summary judgment may provide a tougher challenge. . . ." Ramirez, 69 F.4th at 1221.
Whether or not the facts, in this case, were sufficient to make the attack foreseeable and whether or not Paradies Shops’ security posture failed to meet the standard of care necessary to protect the data of its employees still has to be decided. However, the fact that the complaint survived a motion to dismiss means that the cost of defending such claims, and thus the overall cost of a data breach, will increase for employers who suffer cyber-attacks that compromise employee information. While no business can guarantee it will not suffer a ransomware attack, the fact that a ransomware attack is considered foreseeable and that there can be a duty to protect employee data, should drive employers to evaluate their current security posture to ensure they meet the level of care required by that duty.