Bring away: We have written several articles on the evolution of Georgia's common law in data breach litigation. In an article we reviewed the Georgia Supreme Court's decision in Department of Labor v. McConnell, 305 Ga. 812, 828 SE2d 352 (2019), which held that the Georgia Department of Labor owes no common law duty to an individual to protect his personally identifiable information (PII) – including his Social Security number – from inadvertent disclosure. See Data Breach Class Action Lawsuits – Georgia Supreme Court Rejects Duty to Protect Personal Information (June 28, 2019). In another article, we discussed the Georgia Supreme Court's decision in Collins v. Athens Orthopedic Clinic, PA, 307 Ga. 555, 837 SE2d 310 (2019), which held that the data breach plaintiffs suffered a cognizable injury had – and this was the case – where they claimed that there was an imminent and significant risk of identity theft as a result of the criminal theft of their personal information. See Data Breach Class Action Lawsuits – Georgia Supreme Court Finds Allegations of Imminent Threat of Identity Theft Sufficient to Establish Stand (January 13, 2020). In a recent case, Ramirez v. Paradies Shops, LLC, — F.4th —-, No. 22-12853, 2023 WL 3813881 (11th Cir. June 5, 2023), the Eleventh Circuit has its own way , distinguishing between the McConnell and Collins decisions and holding that in this case the employer had a common law duty to protect the personal information of current and former employees.
When Carlos Ramirez started working for Hojejj Branded Foods (HBF) in 2007, like most modern workers, he provided HBF with his personal information—including his Social Security number—as a condition of his employment. Ramirez, 2023 WL 3813881, at *1. After leaving HBF, Paradies Shops, LLC (Paradies) acquired HBF.
In 2020, Paradies suffered a ransomware attack in which hackers stole the social security numbers of its current and former employees. In 2021, Ramirez learned that applications for pandemic unemployment assistance that required the disclosure of Social Security numbers had been filed in his name in Kentucky and Rhode Island. ID. A few months later, Ramirez received notice from Paradies that his personal information had been exfiltrated in the 2020 ransomware attack (which occurred before the false unemployment claims were filed in his name). ID.
Ramirez then filed a putative class action lawsuit against Paradies, alleging claims including negligence and breach of contract. Paradies moved to dismiss on the grounds that it had no duty to Ramirez to protect his personal information under Georgia law for purposes of the negligence claim, and further argued that Ramirez failed to allege that there was an implied contract of trust between Paradies and Ramirez There has been a contract to protect his PII. ID. at 2 o'clock.
The Northern District of Georgia granted Paradies' motion to dismiss. On appeal, an Eleventh Circuit panel reversed the dismissal of Ramirez's negligence claim but affirmed the dismissal of the implied contract claim. ID. at *1, 5.
In analyzing whether there is a duty to protect information under Georgia law, the panel distinguished the “no duty” decision in the McConnell case. According to the panel, McConnell focused on an earlier Georgia Supreme Court ruling, Bradley Center v. Wessner, 250 Ga. 199, 296 SE2d 693 (1982), concluding that Bradley relied on a “special relationship” between the parties in this case and that Bradley did not support the existence of a Department of Labor duty to protect the provided a person's personal data. From the panel's perspective, McConnell declined to consider whether a duty might arise on other grounds. . . Common law source [apart from Bradley]since no such argument had been made in this case.” Ramirez, 2023 WL 3813881, at *3.
The panel also acknowledged the Georgia Supreme Court's ruling in Collins, where the court “recognized cognizable harm because criminal theft of Plaintiffs' personal information purportedly placed them at imminent and substantial risk of identity theft,” but did not agree the violation deals with customs issue. ID. Accordingly, the panel examined other Georgia common law sources to determine whether Paradies owed a duty to Ramirez to protect his personal information.
Citing a previous Georgia Supreme Court decision, the panel ruled: “[t]Traditional negligence principles hold that the perpetrator of a potentially dangerous situation has a duty to do something about it to prevent injury to others. . . that is, the creator has a duty to eliminate the danger or warn others of its presence.” ID card. (citing City of Winder v. Girone, 265 Ga. 723, 723-24, 462 SE2d 704, 705 (1995)). However, the scope of this duty is “generally limited to reasonably foreseeable risks of harm.” ID. at *4 (citing Maynard v. Snapchat, Inc., 313 Ga. 533, 537 n.3, 870 SE2d 739, 745 n.3 (2022)). The panel also noted that “while the intervening offense of a third person often exempts a defendant from liability for an original act of negligence, this rule does not apply if the defendant had reason to anticipate the offense.”
Based on these principles, the panel concluded that Ramirez had sufficiently pleaded cognizable duty and reasonable foreseeability and further agreed with Ramirez that “the district court required too much detail at the pleadings stage.” ID.
As for the duty, after reviewing the allegations in Ramirez's complaint, the panel concluded that Paradies had a duty to protect the personal information of current and former employees because of their “special relationship.” ID. As Ramirez claimed, employers are required to obtain their employees' personal information for business and tax purposes; Employees are required to disclose their personal information as a condition of employment; and Paradies created a potentially dangerous situation for this group by storing personal information in an unsecured database. The panel also noted that “employers are typically expected to protect their employees from foreseeable hazards associated with their employment.” ID.
The panel further concluded that Ramirez had adequately asserted foreseeability: “Based on our legal experience and common sense, we can reasonably conclude that a company of the size and skill of Paradies – particularly one that has such an extensive database personal data of former employees – could have been foreseen. “Being the target of a cyber attack.” ID card. The panel further criticized the district court's ruling that Ramirez failed to adequately plead foreseeability: “We cannot expect a plaintiff in Ramirez's position to challenge every aspect of Paradies's security history and practices, the one.” data breach could make a data breach foreseeable, particularly when “The question of reasonable foreseeability of a criminal attack is generally a matter for a jury to decide, rather than for summary judgment by the courts.” Id. at 5.
The panel concluded that “Ramirez has adequately pleaded the existence of a special relationship and a foreseeable risk of harm” and that “Georgia's traditional negligence principles are flexible enough to cover Ramirez's allegations.” ID. But the panel affirmed the dismissal of the implied contract claim: “I agree[ing] with the district court that Ramirez has not alleged any facts from which we could infer that HBF has agreed to be bound by any data retention or privacy policy.” ID.
