Employers Might Have a Duty of Care to Protect Employees from Cybertheft

Posted June 30, 2023

In an increasingly electronic world, the U.S. Court of Appeals for the Eleventh Circuit has found that an employer might owe employees a duty of care to protect their personal information from cybertheft. Although the decision was based on Georgia state law, we note that the legal principles for negligence claims are quite similar in other states, and courts in those states might find the Eleventh Circuit’s reasoning appealing.

In Ramirez v. The Paradies Shops, LLC, the individual, on behalf of himself and a class of similarly-impacted individuals, sued his former employer (who has over $1 billion in sales and 10,000 employees) for negligence following a ransomware attack in which current and former employees’ personally identifiable information (PII), including Social Security numbers, was obtained by the cybercriminals. The former employee argued that the company did not sufficiently protect the PII from a data breach by maintaining the PII in an unencrypted internet-accessible database without complying with industry standards of protection.

The Eleventh Circuit noted that, to bring a negligence claim under Georgia law, a defendant must owe the plaintiff a duty of care. Such a duty is owed to those with whom the defendant has a special relationship. Here, the Eleventh Circuit found that the employer obtained the PII as a condition of employment and “employers are typically expected to protect their employees from foreseeable dangers related to their employment.” The Eleventh Circuit then went on to find that a company of the employer’s size and sophistication that was maintaining an extensive database of current and former employee PII could have reasonably foreseen being the target of a cyberattack. Thus, the Eleventh Circuit found that the former employee could sustain a negligence claim against the company.

While this case involved a large, sophisticated company, it would be wise for all employers who receive and retain employee PII to take appropriate measures to protect it from cyberattacks. What is appropriate may depend on the situation, but it seems that, at a minimum, employers can certainly take basic measures, like encrypting the information and ensuring that it is not internet-accessible.

Employers Might Have a Duty of Care to Protect Employees from Cybertheft

NEWS & EVENTS

Webinar: Complying with Maryland’s New Employment Laws – 2024

Teresa Teare presented a session on “Hot Topics in Employment Law for Women Attorneys” at the Women’s Bar Association of Maryland’s annual conference

Fiona Ong participated on a panel at Princeton University to speak to undergraduate students about legal careers

Fiona Ong, and Mark Swerdlin authored an article, “What to Expect from Maryland Paid Family and Medical Leave Program,”

Teresa Teare and Darryl McCallum recently spoke at the Maryland State Bar Association Labor & Employment Section’s bi-annual Employment Law Institute (ELI)

Teresa Teare was quoted in a April 25, 2024 Daily Record article, “MD employment law practitioners, organizations mixed on FTC noncompete ban.”

Fiona Ong and Jamie Salazer authored an article in Vol. 53, No. 1 of The Brief , “Are Employers Liable for Take-Home COVID-19 Claims?”

Fiona Ong has once again been recognized by Lexology as its “Legal Influencer” for Q1 2024

Shawe Rosenthal LLP Authors U.S. Chapter of The Legal 500: Employment & Labour Law Country Comparative Guide 2024