Earlier this month, the United States Court of Appeals for the Eleventh Circuit issued a decision restricting employers’ abilities to fight off putative class action claims regarding data breach and cyberattacks on employee personal identifying information (“PII”).
In Ramirez v. Paradies, the defendant-employer suffered a ransomware attack on its administrative systems where cybercriminals were able to obtain the Social Security Numbers current and former employees. Later, the Plaintiff in the case (Ramirez) was informed that unemployment assistance claims were filed under his name using his Social Security Number without his authorization. Ramirez filed a class action lawsuit claiming negligence and breach of implied contract. Ramirez argued the employer should have protected the PII of its employees and because of their failure to do so, he suffered annoyance, anxiety, increased risk of fraud and identity theft, and a diminution in the value of his PII. The district court granted the employer’s motion to dismiss for failure to state a claim on both issues.
The Eleventh Circuit reversed and remanded the district court’s decision on the negligence claim, determining the employer did owe a duty of care to its employees to protect PII under Georgia’s tort principles. The Eleventh Circuit in its decision stated, “[w]ithout clear guidance from Georgia courts on the asserted duty to safeguard PII, we must “apply traditional tort law.” The court went on to emphasize the longstanding principle that where there is a special relationship (i.e., an employer and their employee) between parties, a duty of care is owed.
The court also determined intervening criminal acts of a third party are not sufficient to insulate an employer from liability where the employer had “reason to anticipate the criminal act.” The court explained that the employer should have been able to anticipate the data breach as a reasonably foreseeable result of (1) the "size and sophistication" of the employer, which maintained a PII database of 75,000 current and former employees and had over $1 billion in sales and (2) failing to adhere to the abundance of industry warnings and advice on how to prevent and detect such an attack.
While this case is based on Georgia tort law, the tort principles applied by the Eleventh Circuit (the duty of care, the special relationship between employers and their employees, and the foreseeability of harm) likely extend to nearly every jurisdiction in the country. It is an important reminder for employers to be aware of these longstanding tort principles applying to protection of employee PII, and the importance of protecting such information.