Employers Might Have a Duty of Care to Protect Employees from Cybertheft


In an increasingly electronic world, the U.S. Court of Appeals for the Eleventh Circuit has found that an employer might owe employees a duty of care to protect their personal information from cybertheft. Although the decision was based on Georgia state law, we note that the legal principles for negligence claims are quite similar in other states, and courts in those states might find the Eleventh Circuit’s reasoning appealing.

In Ramirez v. The Paradies Shops, LLC, the individual, on behalf of himself and a class of similarly-impacted individuals, sued his former employer (who has over $1 billion in sales and 10,000 employees) for negligence following a ransomware attack in which current and former employees’ personally identifiable information (PII), including Social Security numbers, was obtained by the cybercriminals. The former employee argued that the company did not sufficiently protect the PII from a data breach by maintaining the PII in an unencrypted internet-accessible database without complying with industry standards of protection.

The Eleventh Circuit noted that, to bring a negligence claim under Georgia law, a defendant must owe the plaintiff a duty of care. Such a duty is owed to those with whom the defendant has a special relationship. Here, the Eleventh Circuit found that the employer obtained the PII as a condition of employment and “employers are typically expected to protect their employees from foreseeable dangers related to their employment.” The Eleventh Circuit then went on to find that a company of the employer’s size and sophistication that was maintaining an extensive database of current and former employee PII could have reasonably foreseen being the target of a cyberattack. Thus, the Eleventh Circuit found that the former employee could sustain a negligence claim against the company.

While this case involved a large, sophisticated company, it would be wise for all employers who receive and retain employee PII to take appropriate measures to protect it from cyberattacks. What is appropriate may depend on the situation, but it seems that, at a minimum, employers can certainly take basic measures, like encrypting the information and ensuring that it is not internet-accessible.