New Circuit Court Opinion Highlights the Need for Enhanced Cyber and Privacy Safeguards
Security experts have been preaching for years about the importance of implementing enhanced safeguards to protect against the risks of cyber-attacks. From defensible disposition policies to encryption measures, cyber preparedness cognoscenti have urged enterprises to be proactive in taking steps that can likewise mitigate harm from such attacks. Beyond the realm of information security, privacy professionals are sounding a similar voice of warning, particularly given the proliferation of domestic and cross-border data protection laws and penalties for noncompliance.
Now the courts have joined the fray, with the U.S. Court of Appeals for the Eleventh Circuit in Ramirez v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023) allowing an individual whose personally identifiable information (“PII”) was stolen as part of a ransomware attack to pursue a putative class action lawsuit against his former employer for allegedly failing to take adequate cyber preparedness measures. Ramirez makes clear that organizations need to bolster their cyber and privacy protections, or they could face severe consequences both inside the courtroom and beyond.
The Ramirez case arises from Paradies Shops’ (“Paradies”) alleged failure to take appropriate steps to safeguard PII belonging to Ramirez and other employees. Ramirez never actually worked for Paradies; he instead worked for Hojeij Branded Foods (“HBF”), a company Paradies acquired and only after Ramirez’s employment with HBF ended. During his employment with HBF, Ramirez shared his social security number and related confidential personal data with the company; PII that came into Paradies’s possession once it acquired HBF. Seven years after Paradies’s acquisition of HBF, Ramirez discovered that separate claims for pandemic unemployment relief were filed in Kentucky and Rhode Island using his social security number. Those claims, made without Ramirez’s knowledge or permission, arose after hackers penetrated Paradies’s information systems, stealing Ramirez’s social security number, along with the PII from other current and former Paradies employees.
Ramirez eventually filed suit against Paradies and sought damages arising from the company’s purported failure to take appropriate steps to safeguard PII belonging to Ramirez and Paradies’s other current and former employees. In his complaint, Ramirez alleged that Paradies failed to meet “industry standards appropriate to the nature of the sensitive, unencrypted” PII that it maintained. In addition, Ramirez pleaded that “Paradies could have prevented the data breach by properly securing and encrypting the files containing PII and destroying older data about former employees.”
The district court dismissed the lawsuit, finding that Ramirez failed to properly allege foreseeability, i.e., that Paradies should have been aware of the rising number of data breaches and foreseen that its alleged failure to take adequate safeguards would have caused Ramirez and others harm. Nevertheless, the 11th Circuit disagreed and found that Ramirez had stated a negligence claim under Georgia law. The 11th Circuit concluded that Ramirez adequately pleaded a special relationship between himself (along with similarly situated current and former employees) and Paradies, together with “a foreseeable risk of harm” that arose from that relationship. Moreover, the 11th Circuit agreed with Ramirez that the ransomware attack at issue was, as alleged, reasonably foreseeable given Paradies’s apparent failure to implement “adequate security measures despite industry warnings and advice on how to prevent and detect ransomware attacks.” In reaching this determination, the court factored in the “size and sophistication” of the company—an enterprise with over 10,000 employees and more than $1 billion in revenue—in concluding that Paradies “could have foreseen being the target of a cyberattack.”
The 11th Circuit also adopted a more lenient approach to pleading than the district court, opining that “data breach cases present unique challenges for plaintiffs at the pleading stage considering the circumstances.” Among other things, the court reasoned that a party such as Ramirez would not be able “to plead with exacting detail every aspect of Paradies’s security history and procedures that might make a data breach foreseeable,” particularly since companies maintain confidential “the details of its security procedures and vulnerabilities.” Furthermore, because the issue of “reasonable foreseeability” of a cyber-attack was a question “for a jury’s determination,” the 11th Circuit was reluctant to dismiss Ramirez’s negligence claim against Paradies at the pleadings stage. Nevertheless, the 11th Circuit did affirm dismissal of Ramirez’s claim for breach of implied contract against Paradies and signaled that Ramirez might face an uphill battle surviving a summary judgment challenge (“[g]etting past summary judgment may prove a tougher challenge”).
The Ramirez suit will be one to watch to determine whether employees—both individually and as a class—can seek relief from their employers for failing to take adequate measures to safeguard their PII. In the meantime, organizations would be well served to assess their preparedness on information security and privacy and begin taking steps to address vulnerabilities on these fronts.
When establishing a strong information security program, organizations should consider several components: