Preview / Hot News
► Properly Protecting Your Employees' Personal Information
If they have not already, employers should take steps now to properly protect the personal infor-mation of their employees. A recent decision from the U.S. 11th Circuit Court of Appeals clarifies that employers have a special relationship with their employees and owe a duty to their employees to protect the personal information collected because of their status as employees.
Because businesses are required to collect per-sonal information, including sensitive personal information, to meet their obligations under various tax and business laws, businesses must be conscious of the need to implement measures to properly protect this data.
The facts
In October 2020, Paradies Shops, LLC, found itself in the unenviable position of many organizations—the victim of a ransomware attack. Also like many other ransomware victims, the company found itself the defendant in a class action lawsuit claiming that it breached its duties to employees and former employees by failing to protect their data from the ransomware attack.
Unlike many victims before it, however, Paradies Shops couldn’t side-step the litigation on a motion to dismiss. While the district court dismissed the complaint for failure to state a claim, the 11th Circuit found that Carlos Ramirez, a former employee, presented allegations sufficient to survive the motion to dismiss for a claim of negligence.
The 11th Circuit specifically stated that Georgia's tort law was sufficiently flexible to conclude Ramirez properly pleaded the claim. So, what made Ramirez's complaint different from others that were dismissed?
Ramirez worked for Hojeij Branded Foods for seven years, ending in 2014. At some point prior to October 2020, Hojeij was acquired by Paradies Shops, and Hojeij's employee database became the property of Paradies Shops. As part of his employment, Ramirez provided his employer with his social security number and other personally identifiable information, just as most employees are required to do when starting a new job.
In October 2020, Paradies Shops suffered the ransomware attack, and its investigation revealed that the threat actor had uploaded one or more files containing names and social security numbers of the employees and former employees in its database.
In early 2021, Ramirez learned that his social security number had been used to file a fraudulent COVID unemployment compensation claim. A few months thereafter (and several months after Paradies Shops' ransomware attack), Ramirez received notice from Paradies Shops that his social security number was one that had been acquired by the threat actor during the ransomware attack. Shortly after receiving notice from Paradies Shops, Ramirez, sued Paradies Shops for negligence and breach of implied contract.
The complaint noted that Paradies Shops operated retail stores and restaurants, mostly in airports in the United States and Canada, and that it employs more than 10,000 people, which the court found demonstrated Paradies Shops wasn’t a small business.
At the time of the ransomware attack, Paradies Shops' database had names and social security numbers of more than 76,000 current and former employees. That database wasn’t encrypted and was accessible via the Internet.
The appeals court’s decision
The 11th Circuit stated that employers who are responsible for the employees’ situation have a duty to provide assistance in these circumstances. The court also stated, however, that when there is a special relationship, such as between an employer and employee, social policy justifies the imposition of a duty for the employer to assist the employee.
The duty is limited to damages that should be anticipated. Paradies Shops argued that the injury from the ransomware attack was the result of a third-party criminal action that wasn’t foreseeable, which the 11th Circuit acknowledged. The court also noted, however, that if the third-party attack could have been anticipated, the criminal act doesn’t insulate the company from liability.
The complaint alleged that Paradies failed to encrypt the database and failed to meet industry standards for cyber-security. It also alleged that given the nature of the business, the frequency of ransomware attacks (as indicated by industry warnings), and Paradies Shops' poor security policies, the ransomware attack could have been anticipated.
The 11th Circuit determined common sense indicated that Paradies Shops should have known a company of its size could be a target of a cyber-attack. It stated, "Given that foreseeability, Paradies is not shielded from liability by the intervening criminal act of the cybercriminals.”
Acknowledging that foreseeability of the attack is usually a question for the jury, the 11th Circuit noted that, without discovery, employees only had the information the company gave them about the incident, and that the company has good reason to keep many details of the incident confidential, one of which is to maintain system security.
The 11th Circuit agreed that although a duty or lack thereof in this case "may well be better resolved by the legislative process," the complaint sufficiently alleges a duty that can be supported in a manner that is sufficient to survive a motion to dismiss. In reaching that conclusion, the 11th Circuit also stated that that "getting past summary judgment may provide a tougher challenge . . . "
Bottom line
Whether the facts in this case were sufficient to make the attack foreseeable and whether Paradies Shops’ security policies failed to meet the standard of care necessary to protect the data of its employees still has to be decided.
The fact that the complaint survived a motion to dismiss means that the cost of defending such claims and the overall cost of a data breach will increase for employers who suffer cyber-attacks that compromise employee information.
While no business can guarantee it won’t suffer a ransomware attack, the fact that a ransomware attack is considered foreseeable and that there is a duty to protect employee data should drive employers to evaluate their current security policies to ensure they meet the level of care required by that duty.
If you need assistance evaluating whether your current security measures are legally sufficient or whether your security measures meet the requirements of current data privacy laws, contact the author or any member of Burr & Forman's cybersecurity/data privacy team.
By India E. Vincent. Ms. Vincent is a partner of Burr Foreman LLP in Birmingham.
[9/2023]
