The Need for Enhanced Cyber and Privacy Safeguards

New Circuit Court Opinion Highlights the Need for Enhanced Cyber and Privacy Safeguards 

Security experts have been preaching for years about the importance of implementing enhanced safeguards to protect against the risks of cyber-attacks. From defensible disposition policies to encryption measures, cyber preparedness cognoscenti have urged enterprises to be proactive in taking steps that can likewise mitigate harm from such attacks. Beyond the realm of information security, privacy professionals are sounding a similar voice of warning, particularly given the proliferation of domestic and cross-border data protection laws and penalties for noncompliance.  

Now the courts have joined the fray, with the U.S. Court of Appeals for the Eleventh Circuit in Ramirez v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023) allowing an individual whose personally identifiable information (“PII”) was stolen as part of a ransomware attack to pursue a putative class action lawsuit against his former employer for allegedly failing to take adequate cyber preparedness measures. Ramirez makes clear that organizations need to bolster their cyber and privacy protections, or they could face severe consequences both inside the courtroom and beyond.  

The 11th Circuit Allows Ramirez to Pursue Claims Against Paradies Shops 

The Ramirez case arises from Paradies Shops’ (“Paradies”) alleged failure to take appropriate steps to safeguard PII belonging to Ramirez and other employees. Ramirez never actually worked for Paradies; he instead worked for Hojeij Branded Foods (“HBF”), a company Paradies acquired and only after Ramirez’s employment with HBF ended. During his employment with HBF, Ramirez shared his social security number and related confidential personal data with the company; PII that came into Paradies’s possession once it acquired HBF. Seven years after Paradies’s acquisition of HBF, Ramirez discovered that separate claims for pandemic unemployment relief were filed in Kentucky and Rhode Island using his social security number. Those claims, made without Ramirez’s knowledge or permission, arose after hackers penetrated Paradies’s information systems, stealing Ramirez’s social security number, along with the PII from other current and former Paradies employees. 

Ramirez eventually filed suit against Paradies and sought damages arising from the company’s purported failure to take appropriate steps to safeguard PII belonging to Ramirez and Paradies’s other current and former employees. In his complaint, Ramirez alleged that Paradies failed to meet “industry standards appropriate to the nature of the sensitive, unencrypted” PII that it maintained. In addition, Ramirez pleaded that “Paradies could have prevented the data breach by properly securing and encrypting the files containing PII and destroying older data about former employees.” 

The district court dismissed the lawsuit, finding that Ramirez failed to properly allege foreseeability, i.e., that Paradies should have been aware of the rising number of data breaches and foreseen that its alleged failure to take adequate safeguards would have caused Ramirez and others harm. Nevertheless, the 11th Circuit disagreed and found that Ramirez had stated a negligence claim under Georgia law. The 11th Circuit concluded that Ramirez adequately pleaded a special relationship between himself (along with similarly situated current and former employees) and Paradies, together with “a foreseeable risk of harm” that arose from that relationship. Moreover, the 11th Circuit agreed with Ramirez that the ransomware attack at issue was, as alleged, reasonably foreseeable given Paradies’s apparent failure to implement “adequate security measures despite industry warnings and advice on how to prevent and detect ransomware attacks.” In reaching this determination, the court factored in the “size and sophistication” of the company—an enterprise with over 10,000 employees and more than $1 billion in revenue—in concluding that Paradies “could have foreseen being the target of a cyberattack.” 

The 11th Circuit also adopted a more lenient approach to pleading than the district court, opining that “data breach cases present unique challenges for plaintiffs at the pleading stage considering the circumstances.” Among other things, the court reasoned that a party such as Ramirez would not be able “to plead with exacting detail every aspect of Paradies’s security history and procedures that might make a data breach foreseeable,” particularly since companies maintain confidential “the details of its security procedures and vulnerabilities.” Furthermore, because the issue of “reasonable foreseeability” of a cyber-attack was a question “for a jury’s determination,” the 11th Circuit was reluctant to dismiss Ramirez’s negligence claim against Paradies at the pleadings stage. Nevertheless, the 11th Circuit did affirm dismissal of Ramirez’s claim for breach of implied contract against Paradies and signaled that Ramirez might face an uphill battle surviving a summary judgment challenge (“[g]etting past summary judgment may prove a tougher challenge”). 

Cyber and Privacy Preparedness Lessons for Enterprises 

The Ramirez suit will be one to watch to determine whether employees—both individually and as a class—can seek relief from their employers for failing to take adequate measures to safeguard their PII. In the meantime, organizations would be well served to assess their preparedness on information security and privacy and begin taking steps to address vulnerabilities on these fronts.  

When establishing a strong information security program, organizations should consider several components: 

• Qualified cybersecurity leader. This individual is responsible for oversight of the entire program and provides strategic direction. This leader should guide the cyber team in day-to-day administrative duties and be the main point of contact while managing a security incident. A part-time Chief Information Security Officer is an acceptable choice when an organization may not have the capability to hire a full-time employee. 
• Access to technical expertise. Having access to technical expertise is indispensable, both from a personnel standpoint as well as having the right tools in place. The cyber team would implement security controls, manage a security incident, and provide forensics support.  
• Portfolio of security policies, processes, and procedures. This documentation provides guidance to personnel and communicates expectations. It could include (among other things) the following documents: overall security policy, acceptable use policy, incident reporting process, chain of custody procedures, and other examples. In addition, training employees on the documentation is essential. Without training, neither executives nor operations-level employees can be expected to understand how to implement and address the policies and processes that will better enhance cyber security. 

• Cyber risk assessment. A cyber risk assessment documents the maturity of the security program, identifies critical data, and offers recommendations for improvement. Among other things, an assessment would help an organization determine its baseline and realize areas for improvement. In addition, an assessment often meets the requirements for certifications and cybersecurity insurance. 
• Table-top exercise (TTX). This is a simulated event involving key personnel, especially business leaders, to practice desired behavior in the event of a data breach. The TTX raises awareness of the role each member of the team plays to ameliorate the impact of data breaches.