Protection of Personal Digital Data is Common Law
In a recently issued opinion by the United States Court of Appeals for the Eleventh Circuit, Ramirez v. The Paradies Shops, LLC, the court found that a plaintiff may allege negligence under common law for an employer’s failure to protect the personal, sensitive information of an employee.
The facts of the case are all too common. A large employer collected a substantial amount of personal information from employees at the time of hiring and maintained that information in database. The employer suffered a data breach and the database was compromised.
The plaintiff sued in federal court in the Northern District of Georgia. The trial court applied Georgia state law and dismissed the case finding that the plaintiff had failed to state a claim for negligence. The plaintiff appealed.
The appellate court in its opinion stated that “[w]ithout clear guidance from Georgia courts on the asserted duty to safeguard PII, we must ‘apply traditional tort law’ to Ramirez’s alleged injury to determine whether Paradies owed him a duty of care.” The court specifically defended itself against the argument that it was creating a new duty:
While we will not impose “a new, judicially-created duty,” Rasnick v. Krishna Hosp., Inc., 690 S.E.2d 670, 674 (Ga. Ct. App. 2010), we are not bound by “a restrictive and inflexible approach” that “does not square with common sense or tort law.” Sturbridge Partners v. Walker, 482 S.E.2d 339, 340 (Ga. 1997) (discussing how to determine whether a risk is reasonably foreseeable).
Traditional negligence liability requires the plaintiff to meet a four-part test: (1) a duty of care; (2) breach of the duty; (3) causation of injury; and, (4) damages. Because the case was dismissed at the pleading stage, the appellate court only considered the first two requirements.
In discussing a duty of care the court noted:
Traditional negligence principles provide that the creator of a potentially dangerous situation has a duty to do something about it so as to prevent injury to others . . . that is, the creator has a duty to eliminate the danger or give warning to others of its presence.” City of Winder v. Girone, 462 S.E.2d 704, 705 (Ga. 1995)
The court opined that Paradies owes a duty of care to their employees under Georgia common law and that the facts were sufficiently pled to meet this requirement.
The court then considered foreseeability, and noted:
Negligence is predicated on what should be anticipated, rather than on what happened, because one is not bound to anticipate or foresee and provide against what is unlikely, remote, slightly probable, or slightly possible.” Amos v. City of Butler, 529 S.E.2d 420, 422 (Ga. Ct. App. 2000)
The court noted that Paradies maintained sensitive information of its employees on an unencrypted, internet-accessible database with tens of thousands of other current and former employees. The court offered their opinion:
Drawing on our judicial experience and common sense, we can reasonably infer that a company of Paradies’s size and sophistication—especially one maintaining such an extensive database of prior employees’ PII—could have foreseen being the target of a cyberattack.
The court concluded:
In short, while data breach cases present a “fairly new kind of injury,” Ramirez has sufficiently pled the existence of a special relationship and a foreseeable risk of harm. Collins, 837 S.E.2d at 316 n.7. As a result, Georgia’s traditional negligence principles are flexible enough to cover Ramirez’s allegations.
While the court noted that Ramirez had pled enough facts to survive a Rule 12(b)(6) motion to dismiss, surviving a summary judgement case may be much more difficult.
The case is a reminder to all employers that protection of employee’s sensitive information may have consequences beyond notification and offering credit monitoring. The unique relationship may create a duty of the employer to establish more robust cybersecurity controls over such information. If this information is maintained by a third-party provider, such as an HR SaaS platform, employers should review the protection afforded the data by the platform.