Summary
In Ramirez v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023), for example, the Eleventh Circuit, reviewed the lower court's dismissal of the plaintiff's negligence action against his employer after a cyberattack compromised his PII.
Summary of this case from Hummel v. Teijin Auto. Techs.Opinion
No. 22-12853
06-05-2023
Carlos RAMIREZ, on behalf of himself and all others similarly situated, Plaintiff-Appellant, v. The PARADIES SHOPS, LLC, a Georgia limited liability company, Defendant-Appellee.
Dylan Artell Bess, Morgan & Morgan, PA, Atlanta, GA, Ryan D. Maxey, Kenya Jamila Reddy, John Yanchunis, Morgan & Morgan, PA, Tampa, FL, for Plaintiff-Appellant. Paul J. Bond, Holland & Knight, LLP, Philadelphia, PA, Peter Hall, Holland & Knight, LLP, Atlanta, GA, for Defendant-Appellee.
Appeal from the United States District Court for the Northern District of Georgia, D.C. Docket No. 1:21-cv-03758-ELR Dylan Artell Bess, Morgan & Morgan, PA, Atlanta, GA, Ryan D. Maxey, Kenya Jamila Reddy, John Yanchunis, Morgan & Morgan, PA, Tampa, FL, for Plaintiff-Appellant. Paul J. Bond, Holland & Knight, LLP, Philadelphia, PA, Peter Hall, Holland & Knight, LLP, Atlanta, GA, for Defendant-Appellee. Before Jill Pryor and Dubina, Circuit Judges, and Covington, District Judge. Covington, District Judge:
Honorable Virginia M. Covington, United States District Judge for the Middle District of Florida, sitting by designation.
Carlos Ramirez worked for a company later acquired by the Paradies Shops. He, like many employees, entrusted his employer with sensitive personally identifiable information (PII). In October 2020, Paradies suffered a ransomware attack on its administrative systems in which cybercriminals obtained the Social Security numbers of Ramirez and other current and former employees. Shortly after learning of the data breach, Ramirez brought claims for negligence and breach of implied contract on behalf of himself and those affected by the data breach, arguing Paradies should have protected the PII. He now appeals from the district court's order granting Paradies's motion to dismiss for failure to state a claim. He contends the district court demanded too much at the pleadings stage. With the benefit of oral argument, we agree in part. While we affirm the dismissal of the breach of implied contract claim, we reverse the district court's dismissal of Ramirez's negligence claim and remand for further proceedings.
I. BACKGROUND
According to Ramirez's complaint, he worked for Hojeij Branded Foods (HBF) from 2007 to 2014. After Ramirez left HBF, Paradies acquired HBF and its database of current and former employees. Paradies operates retail stores and restaurants primarily in airports throughout the United States and Canada. It has over $1 billion in sales and employs more than 10,000 people.
The employees of Paradies and the companies it acquired had to provide PII about themselves and their beneficiaries as a condition of employment. At the time of the data breach, Paradies maintained records containing the PII, including names and Social Security numbers, of more than 76,000 current or former employees.
The sensitivity of this type of PII, particularly Social Security numbers, is well-known. Once stolen, fraudulent use of that information—and the resulting damage to victims—can continue for years. Ramirez alleged he was careful with his sensitive information. He relied on Paradies, a sophisticated company, to similarly keep his PII confidential and securely maintained, to use the information only for business purposes, and to make only authorized disclosures.
Despite his precautions, in early 2021, state offices in Rhode Island and Kentucky informed Ramirez that pandemic unemployment assistance claims had been filed in his name. Neither claim was authorized, and both claims required the use of his Social Security number.
A few months later, Paradies notified Ramirez about a data breach incident. According to the notice, Paradies was the victim of a ransomware attack in October 2020, which affected "only an internal, administrative system." But the attacker uploaded records to third-party servers, and Paradies's investigation reflected that Ramirez's "name, as well as [his] Social Security Number, were contained in the file(s)."
Ramirez filed this putative class action on behalf of himself and those who had their data accessed as part of the data breach, asserting claims for breach of implied contract and negligence. Ramirez said that he spent time dealing with the data breach and suffered annoyance, anxiety, an increased risk of fraud and identity theft, and a diminution in the value of his PII. Ramirez alleged that the harms he suffered were a foreseeable result of Paradies's inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining. He described data security recommendations from the United States government and Microsoft as examples of security procedures Paradies should have used. And he claimed that Paradies could have prevented the data breach by properly securing and encrypting the files containing PII and destroying older data about former employees. He asserted that Paradies knew or should have known that failing to do so involved a risk of harm even if the harm occurred through the criminal acts of a third party.
Ramirez also asserted claims for invasion of privacy and breach of confidence, but he withdrew those claims in response to Paradies's motion to dismiss. The district court treated those claims as abandoned, and Ramirez has not contested that on appeal.
Paradies moved to dismiss under Rule 12(b)(6), arguing that it did not owe Ramirez a duty to safeguard his data under Georgia law and that Ramirez failed to allege the terms of any implied contract.
The district court granted Paradies's motion to dismiss, finding Ramirez's negligence claim failed because he did not adequately allege that Paradies could have foreseen the harm. For guidance, the court looked to Purvis v. Healthcare, 563 F. Supp. 3d 1360 (N.D. Ga. 2021), in which another district court in Georgia found it was "common sense" that an entity receiving PII from patients and employees as a condition of medical care and employment had some obligation to protect that information from reasonably foreseeable threats. In this case, the district court reasoned that Ramirez's allegations of foreseeability were less specific than those in Purvis because Ramirez alleged neither that Paradies had actual knowledge of public announcements about data breaches nor any particular reason to be aware of them. The court also dismissed Ramirez's breach of implied contract claim because he did not allege how Paradies or HBF manifested an intent to provide data security as part of an employment agreement.
II. DISCUSSION
In this diversity case, we review de novo whether the district court correctly forecast and applied Georgia law in dismissing Ramirez's claims. See SA Palm Beach, LLC v. Certain Underwriters at Lloyd's London, 32 F.4th 1347, 1356 (11th Cir. 2022). We consider "whatever might lend [us] insight" to show how the Georgia Supreme Court would decide the issues at hand. Id. at 1356-57.
The district court in its order and the parties on appeal have elected, without a choice-of-law analysis, to rely on Georgia law, so we apply Georgia law as well. See AT&T Mobility, LLC v. NASCAR, Inc., 494 F.3d 1356, 1360 n.7 (11th Cir. 2007).
We accept the facts alleged in the complaint as true and construe them in the light most favorable to Ramirez, drawing on our judicial experience and common sense. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1321-22, 1324 (11th Cir. 2012). At the pleading stage, a complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). "Plaintiffs must plead all facts establishing an entitlement to relief with more than 'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action.' " Resnick, 693 F.3d at 1324 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).
"The complaint must contain enough facts to make a claim for relief plausible on its face; a party must plead 'factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.' " Id. at 1324-25 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009)). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. A. Negligence
In analyzing Ramirez's negligence claim, we first review Georgia's traditional tort principles regarding the existence of a duty of care. We then apply those principles to Ramirez's allegations.
i. Duty of Care
To state a viable negligence claim under Georgia law, a plaintiff must allege (1) a duty on the part of the defendant, (2) a breach of that duty, (3) causation of the alleged injury, and (4) damages resulting from the alleged breach of the duty. Rasnick v. Krishna Hosp., Inc., 289 Ga. 565, 713 S.E.2d 835, 837 (2011). Whether, and to what extent, the defendant owes the plaintiff a duty of care is a threshold question of law. City of Rome v. Jordan, 263 Ga. 26, 426 S.E.2d 861, 862 (1993). The duty can arise from a statute or "be imposed by a common law principle recognized in the caselaw." Rasnick, 713 S.E.2d at 837.
On appeal, Ramirez concedes that Paradies does not owe him a statutory duty of care, so we look to Georgia's decisional law for a duty. While we will not impose "a new, judicially-created duty," Rasnick v. Krishna Hosp., Inc., 302 Ga. App. 260, 690 S.E.2d 670, 674 (2010), we are not bound by "a restrictive and inflexible approach" that "does not square with common sense or tort law." Sturbridge Partners v. Walker, 267 Ga. 785, 482 S.E.2d 339, 340 (1997) (discussing how to determine whether a risk is reasonably foreseeable).
At the outset, the parties hotly contest the application of two recent Georgia Supreme Court cases, but neither case answers the duty of care question before us today. In Department of Labor v. McConnell, the Georgia Supreme Court disapproved "a purported common law duty 'to all the world not to subject [others] to an unreasonable risk of harm.' " 305 Ga. 812, 828 S.E.2d 352, 358 (2019) (quoting Bradley Ctr. v. Wessner, 250 Ga. 199, 296 S.E.2d 693, 695 (1982)) (explaining that language was neither a correct statement of the law nor controlling of the result in Bradley Center, "which was based on a 'special relationship' between the plaintiff and the defendant"). The court thus rejected McConnell's reliance on Bradley Center for the proposition that the Georgia Department of Labor owed him a duty "to safeguard and protect" his personal information, including his Social Security number, from inadvertent disclosure. Id. The court expressly declined to consider whether a duty might arise from any other statutory or common law source, as no such argument had been made in that case. Id. at 358 n.5.
The Georgia Supreme Court also rejected McConnell's argument that this duty arose under two Georgia statutes, O.C.G.A. §§ 10-1-393.8 and 10-1-910, but neither is relevant to this case.
Not long after that, in Collins v. Athens Orthopedic Clinic, P.A., the Georgia Supreme Court recognized a cognizable injury where a criminal theft of the plaintiffs' personal data allegedly put them at an imminent and substantial risk of identity theft. 307 Ga. 555, 837 S.E.2d 310, 316-18 (2019). But the Collins court also left the breach of duty issue for another day. Id. at 315-16 (noting that the "easier showing of injury" in cases "where the data exposure occurs as a result of an act by a criminal" "may well be offset by a more difficult showing of breach of duty").
Without clear guidance from Georgia courts on the asserted duty to safeguard PII, we must "apply traditional tort law" to Ramirez's alleged injury to determine whether Paradies owed him a duty of care. Id. at 316 n.7.
"A person is under no duty to rescue another from a situation of peril which the former has not caused." City of Douglasville v. Queen, 270 Ga. 770, 514 S.E.2d 195, 198-99 (1999) (quoting Alexander v. Harnick, 142 Ga.App. 816, 237 S.E.2d 221, 222 (1977)) (emphasis added). But, "if the defendant's own negligence has been responsible for the plaintiff's situation, a relation has arisen which imposes a duty to make a reasonable effort to give assistance, and avoid any further harm." Thomas v. Williams, 105 Ga.App. 321, 124 S.E.2d 409, 413 (1962) ("[W]hen some special relation exists between the parties, social policy may justify the imposition of a duty to assist or rescue one in peril."). Cf. CSX Transp., Inc. v. Williams, 278 Ga. 888, 608 S.E.2d 208, 209 (2005) (recognizing that policy plays an important role in fixing the bounds of a duty). In other words, "[t]raditional negligence principles provide that the creator of a potentially dangerous situation has a duty to do something about it so as to prevent injury to others . . . that is, the creator has a duty to eliminate the danger or give warning to others of its presence." City of Winder v. Girone, 265 Ga. 723, 462 S.E.2d 704, 705 (1995) (internal citations and quotation marks omitted).
Georgia courts have also long recognized duties arising out of the employer-employee relationship. See, e.g., CSX Transp., Inc., 608 S.E.2d at 209 ("Under Georgia statutory and common law, an employer owes a duty to his employee to furnish a reasonably safe place to work and to exercise ordinary care and diligence to keep it safe." (citation omitted)).
That said, for many types of negligent conduct, the scope of the duty owed by a defendant is "generally limited to reasonably foreseeable risks of harm." Maynard v. Snapchat, Inc., 313 Ga. 533, 870 S.E.2d 739, 745 n.3 (2022) (collecting cases). "Negligence is predicated on what should be anticipated, rather than on what happened, because one is not bound to anticipate or foresee and provide against what is unlikely, remote, slightly probable, or slightly possible." Amos v. City of Butler, 242 Ga.App. 505, 529 S.E.2d 420, 422 (2000).
Additionally, while the intervening criminal act of a third person will often insulate a defendant from liability for an original act of negligence, that rule does not apply when the defendant had reason to anticipate the criminal act. See Lillie v. Thompson, 332 U.S. 459, 460-62, 68 S.Ct. 140, 92 L.Ed. 73 (1947) (holding that employers have a duty to anticipate and protect their employees from foreseeable dangers at the work-place even though the danger came from the criminal act of a third party); Atl. C. L. R. Co. v. Godard, 211 Ga. 373, 86 S.E.2d 311, 315 (1955) (same); see also Doe v. Prudential-Bache/A.G. Spanos Realty Partners, L.P., 268 Ga. 604, 492 S.E.2d 865, 866 (1997) (landlord and tenants); Se. Stages v. Stringer, 263 Ga. 641, 437 S.E.2d 315, 318 (1993) (common carriers and passengers); Bradley Center, 296 S.E.2d at 696 (doctors and mental health patients); Restatement (Second) of Torts, § 302B, cmt. e. But Georgia courts will not expand traditional tort concepts merely because a harm is foreseeable. Rasnick, 713 S.E.2d at 839 ("[L]egal duty must be tailored so that the consequences of wrongs are limited to a controllable degree."); CSX Transp., 608 S.E.2d at 209-10; City of Douglasville, 514 S.E.2d at 198.
With these common law principles in mind, we turn to whether Ramirez stated a claim for negligence.
ii. Sufficiency of the Complaint
On appeal, Ramirez contends the district court asked for too much specificity at the pleading stage. We agree and reverse the district court's grant of Paradies's motion to dismiss with respect to Ramirez's negligence claim.
Paradies may not owe a duty to all the world, but it still owes a duty of care to those with whom it has as special relationship. See McConnell, 828 S.E.2d at 358; Thomas, 124 S.E.2d at 413. Employers must obtain sensitive PII about their employees for tax and business purposes, so it is no surprise HBF required Ramirez to disclose his Social Security number as a condition of employment. After Paradies acquired HBF's records, however, it allegedly maintained Ramirez's unencrypted PII in an internet-accessible database with tens of thousands of other current and former employees and failed to comply with industry standards to protect the PII from cyberattacks. Leaving this substantial database unsecured created a "potentially dangerous situation" whereby cybercriminals could improperly access and exploit this PII, so Paradies needed "to do something about it." City of Winder, 462 S.E.2d at 705. It is also significant that they were not strangers. Paradies (through HBF) obtained Ramirez's PII as a condition of employment, and employers are typically expected to protect their employees from foreseeable dangers related to their employment. Cf. CSX Transp., Inc., 608 S.E.2d at 209; Lillie, 332 U.S. at 462, n.4, 68 S.Ct. 140; Godard, 86 S.E.2d at 315.
Of course, any duty owed by Paradies is limited to reasonably foreseeable risks of harm. See CSX Transp., 608 S.E.2d at 209. Ramirez alleged that the data breach was reasonably foreseeable in light of Paradies's failure to take adequate security measures despite industry warnings and advice on how to prevent and detect ransomware attacks. And, with more than 10,000 current employees and $1 billion in sales, Paradies is far from a small business. See O.C.G.A. § 50-5-121(3) (providing that a "small business" has 300 or fewer employees or $30 million or less in gross receipts per year). Drawing on our judicial experience and common sense, we can reasonably infer that a company of Paradies's size and sophistication—especially one maintaining such an extensive database of prior employees' PII—could have foreseen being the target of a cyberattack. Resnick, 693 F.3d at 1324-25. Given that foreseeability, Paradies is not shielded from liability by the intervening criminal act of the cybercriminals. See Godard, 86 S.E.2d at 315.
In finding Ramirez had not sufficiently alleged foreseeability, the district court emphasized Ramirez did not allege that the threat of cyberattacks was especially well-known to Paradies or its type of business, that ransomware attacks were extremely common, or that Paradies knew it faced a particularly high risk of a data breach. But data breach cases present unique challenges for plaintiffs at the pleading stage. A plaintiff may know only what the company has disclosed in its notice of a data breach. Even if some plaintiffs can find more information about a specific data breach, there are good reasons for a company to keep the details of its security procedures and vulnerabilities private from the public and other cybercriminal groups. We cannot expect a plaintiff in Ramirez's position to plead with exacting detail every aspect of Paradies's security history and procedures that might make a data breach foreseeable, particularly where "the question of reasonable foreseeability of a criminal attack is generally for a jury's determination rather than summary adjudication by the courts." Sturbridge Partners, 482 S.E.2d at 341 (citation and quotation marks omitted). Under the circumstances, Ramirez did enough under the Twombly and Iqbal standard to plead foreseeability. See Resnick, 693 F.3d at 1324-25.
In short, while data breach cases present a "fairly new kind of injury," Ramirez has sufficiently pled the existence of a special relationship and a foreseeable risk of harm. Collins, 837 S.E.2d at 316 n.7. As a result, Georgia's traditional negligence principles are flexible enough to cover Ramirez's allegations. B. Breach of Implied Contract
Ramirez's appeal from the dismissal of his breach of implied contract claim is easier to resolve. Generally, "to enforce a specific contract provision, a party must demonstrate a 'meeting of the minds' as to the key contract provisions." Iraola & CIA., S.A. v. Kimberly-Clark Corp., 325 F.3d 1274, 1285 (11th Cir. 2003). " 'If there is any essential term upon which agreement is lacking, no meeting of the minds of the parties exists, and a valid and binding contract has not been formed.' " Id. (quoting Auto-Owners Ins. Co. v. Crawford, 240 Ga.App. 748, 525 S.E.2d 118, 120 (1999)).
Notwithstanding the bare assertion that Paradies or HBF agreed to safeguard his PII by implied contract, we agree with the district court that Ramirez failed to allege any facts from which we could infer HBF agreed to be bound by any data retention or protection policy. Without those facts, Ramirez provides only "labels and conclusions" insufficient to plead a breach of implied contract. Resnick, 693 F.3d at 1324.
III. CONCLUSION
We recognize that policy plays an important role in fixing the bounds of a defendant's duty under Georgia law. As the Georgia Supreme Court has noted, "traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this, tradeoffs that may well be better resolved by the legislative process." Collins, 837 S.E.2d at 316 n.7. Nevertheless, having applied Georgia's traditional tort principles, we conclude Ramirez has pled facts giving rise to a duty of care on the part of Paradies. Getting past summary judgment may prove a tougher challenge, but Ramirez has pled enough for his negligence claim to survive a Rule 12(b)(6) motion to dismiss.
The district court's dismissal of Ramirez's breach of implied contract claim is AFFIRMED. We REVERSE the dismissal of Ramirez's negligence claim and REMAND for further proceedings consistent with this opinion.