Check Your Cyber-insurance: Employee Prevails In Stolen PII Case

There have been several important decisions concerning the development of common law in data breach litigation. Most recently, in Ramirez v. Paradies Shops, LLC, the Eleventh Circuit ruled that the employer had a common law duty to protect the personally identifiable information of present and former employees. A 2020 ransomware attack at Paradies resulted in the theft of the social security numbers of its current and former employees. A year later, Ramirez learned that pandemic unemployment assistance claims requiring social security numbers had been filed in his name. It wasn’t until months after that he was notified that his PII had been stolen in the 2020 attack. He filed a putative class action, alleging negligence and breach of implied contract. The defendant argued that it didn’t have a duty to safeguard PII under Georgia law. The district court agreed and granted a motion to dismiss. Relying on earlier Georgia decisions, an 11th Circuit panel reversed, ruling that “Ramirez has sufficiently pled the existence of a special relationship and a foreseeable risk of harm” and that “Georgia’s traditional negligence principles are flexible enough to cover Ramirez’s allegations.”