If they have not already done so, employers must take steps now to properly protect their employees’ personal information. The Eleventh Circuit Court of Appeals decision in Ramirez v. Paradies Shops, LLC recognizes that employers have a special relationship with their employees and therefore owe a duty to their employees to protect personal information collected as a result of their employee status. 69 Fourth Law 1213 (Eleventh Constituency 2023). Because companies are required to collect personal information, including sensitive personal information, in order to fulfill their obligations under various tax and business laws, companies should be aware of the need to properly implement measures to protect such data.
In October 2020, Paradies Shops, LLC found itself in the unenviable position of many organizations, falling victim to a ransomware attack. As is also the case with many other ransomware victims, Paradies Shops has found itself a defendant in a class-action lawsuit alleging that it violated its duties to employees and former employees by failing to protect their data from and during the ransomware attack. However, unlike many of the victims before it, Paradies Shops was not able to avoid litigation on its dismissal request. While the District Court dismissed the complaint for failure to file a claim, the Eleventh Circuit found that Carlos Ramirez, a former employee, made sufficient allegations to survive the motion for negligence dismissal. The Eleventh Circuit specifically stated that Georgia tort law was flexible enough to conclude that Ramirez had properly defended that claim. So what made Ramirez’s complaint different from other complaints that were dismissed?
Mr. Ramirez worked for Hejeij Foods Brands for seven years, ending in 2014. Sometime prior to October 2020, Hejeij was acquired by Paradise Shops, and the Hejeij employee database became the property of Paradise. As part of his job, Mr. Ramirez has provided his employer with his Social Security number and other personally identifiable information, just as most employees are required to do when starting a new job.
In October 2020, Paradies Shops was hit by a ransomware attack, and its investigation revealed that the threat actor had uploaded one or more files containing the names and Social Security numbers of employees and former employees into its database.
In early 2021, Ramirez learned that his Social Security number had been used to file a fraudulent coronavirus unemployment claim. A few months later (and several months after the Paradies Shops ransomware attack), Ramírez received a notification from Paradies Shops that his Social Security number was one that the threat actor had obtained during the ransomware attack. Shortly after receiving notice from Paradise, Mr. Ramirez, on behalf of the chapter, sued Paradise for negligence and breach of implied contract.
The complaint indicated that Paradise Stores operated retail stores and restaurants, mostly in airports in the United States and Canada, and that Paradise Employed more than 10,000 people, which the court found Paradise was not a small business. At the time of the ransomware attack, the Paradies Shops database contained the names and social security numbers of more than 76,000 current and former employees. This database was not encrypted and could be accessed over the Internet.
Considering whether or not the complaint survived the motion to dismiss, the Eleventh Circuit conveyed the requirement made by the Fed. R. civil. s. 8(a)(2) that the complaint contains “a short and clear statement of the prosecution stating that the plaintiff is entitled to compensation,” and case law requiring Ramirez to “defend all facts establishing his entitlement to compensation by more than “nomenclature and conclusions” or Reciting a formula for the elements of the cause of action. In this context, the Eleventh Circuit then revised the Georgia standard for a negligence claim.
In Georgia, the plaintiff must prove that the defendant had a duty breached, and that there is a causal relationship between the duty breached and the alleged injury, and the damage resulting from the breach of duty. Ramirez, 69 F.4th 1213 (cited in Rasnick v. Krishna Hosp, Inc., 713 SE2d 835, 837 (Ga. 2011)). The Court specifically stated that it does not apply a “new duty created by the judiciary” but that it is necessary to be flexible when applying existing standards.
Reviewing Georgia case law, the Eleventh Circuit stated that defendants who are responsible for placing defendants have a duty to provide assistance. However, the Court also stated that where there is a special relationship, such as that between an employer and an employee, social policy justifies imposing a duty on the employer to assist the employee.
The duty is limited to the damages that should be expected. Paradies Shops argued that the infection caused by the ransomware attack was the result of an unexpected third-party criminal act, which the Eleventh Circuit acknowledged. However, the court also noted that if the third party attack could have been foreseen, the criminal act did not absolve the defendant from liability.
The complaint alleged that Paradies failed to encrypt the database and failed to meet industry standards for cybersecurity. It also claimed that given the nature of Paradies Shops’ business, the frequency of ransomware attacks, as indicated by industry warnings, and Paradies Shops’ poor security posture, the ransomware attack could have been expected.
The Eleventh Circuit cited common sense that Paradise should have known that a company of this size could be the target of a cyberattack. “Given this predictability, Paradise is not protected from liability for the intrusive criminal act of cybercriminals.” Ramirez, 69 F.4 at 1220. While acknowledging that the anticipation of the attack is usually a question for the jury, the Eleventh Circuit has indicated that, without discovery, the plaintiffs have only the information provided to them by the defendant about the incident, and that the defendant has good cause To keep many details of the incident secret, one of them is to keep the system secure.
The Eleventh Circuit agreed that although the duty, or lack thereof, in this case “may be better resolved by the legislative process,” the complaint sufficiently alleges a duty that can be upheld under Georgia tort law in a manner sufficient to survive the motion of impeachment. Ramirez, 69 F.4 in 1221 (cited in Collins, 837 SE 2d in 316, No. 7). In reaching this conclusion, the Eleventh Circuit also states that “(g) an earlier summary judgment may present a more difficult challenge….” Ramirez, 69 F.4 at 1221.
Whether or not the facts, in this case, were sufficient to make the attack foreseeable and whether Paradies Shops’ security posture failed to meet the standards of care necessary to protect its employees’ data. However, the fact that the complaint survived the dismissal request means that the cost of defending such claims, and thus the overall cost of the data breach, will increase for employers suffering from cyberattacks that compromise employee information. While no company can guarantee that it will not be subjected to a ransomware attack, the fact that a ransomware attack is expected and that there can be a duty to protect employee data should prompt employers to assess their current security posture to ensure that they They meet the standard of care required by this duty.