A Common Law Duty to Protect PII?
Main Points
The Eleventh Circuit Court of Appeals determined in Ramirez v. The Paradies Shops LLC that under common law, employers have a duty to implement reasonable steps to safeguard sensitive personally identifiable information (PII) of current and former employees from foreseeable cyberattacks.
The decision was based on a case where a large employer kept unencrypted PII of tens of thousands of employees (and former employees) in a database accessible from the internet. This cyberattack was foreseeable due to: (a) the employer's size and sophistication; (b) extensive database of PII; and (c) the fact that the company was on notice for the types of attack that occurred.
Although the case was specifically adjudicated under Georgia law, the ruling has persuasive authority nationwide, given the similarities in common law across most states.
Case Background
Ramirez worked for Hojeij Branded Foods (HBF) from 2007 to 2014. After his departure, Paradies, a retailer and restaurant operator, acquired HBF and its database. Paradies experienced a data breach in 2020, compromising over 76,000 employees' PII, including Ramirez's Social Security number. Subsequently, unauthorized pandemic unemployment assistance claims were filed under Ramirez's name.
Ramirez then filed a class-action suit alleging Paradies' negligence and breach of implied contract led to the unauthorized data breach. He claimed that the harm he suffered was a foreseeable result of Paradies's inadequate security practices and non-compliance with appropriate industry standards.
However, the district court granted Paradies's motion to dismiss these claims. It found Ramirez's negligence claim wanting because he did not adequately allege that Paradies could have foreseen the harm. Moreover, the breach of implied contract claim was dismissed as Ramirez failed to allege how Paradies or HBF manifested an intent to provide data security as part of an employment agreement. Ramirez then appealed these dismissals.
Argument
This was a diversity case that reviewed the district court's dismissal of Ramirez's claims and its application of Georgia law. The matter reviewed bye the court of appeals is whether Ramirez's complaint contains sufficient facts to state a claim for relief.
The case addressed Ramirez's negligence claim, focusing on Georgia's traditional tort principles and whether Paradies, the defendant, had a duty of care towards Ramirez. A negligence claim under Georgia law, like the other states, requires the plaintiff to allege a duty, breach, causation, and damage.
Here, Ramirez conceded that Paradies did not owe him a statutory duty of care, and the court looks to Georgia's decisional law for duty. Ramirez's complaint centers around the duty to safeguard personal identifiable information (PII) and Paradies's alleged negligence in securing an internet-accessible database containing this PII. The court reversesd the district court's dismissal, stating that Paradies had a duty to protect its employees' PII and Ramirez sufficiently alleged foreseeability of a data breach due to inadequate security measures.
Not So Fast
Ok. So, there’s a catch. It is important not to read a sure-thing legal duty into this decision when that is not the case. The court is aware of this, and it was sure to make the distinction between the standard needed in a complaint and the standard to survive a Motion for Summary Judgment. It appropriately included this paragraph in its opinion towards the end: “As the Georgia Supreme Court has noted, “traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this, tradeoffs that may well be better resolved by the legislative process.” Nevertheless, having applied Georgia's traditional tort principles, we conclude Ramirez has pled facts giving rise to a duty of care on the part of Paradies. Getting past summary judgment may prove a tougher challenge, but Ramirez has pled enough for his negligence claim to survive a Rule 12(b)(6) motion to dismiss.”
