The Eleventh Circuit revived a putative data-breach class action in Ramirez v. Paradies Shops, LLC, No. 22-12853, _ F.4th _ (11th Cir. June 5, 2023), which a district court had dismissed for failure to state a claim under Georgia law. The opinion reflects a trend of expanding privacy protection and has already been cited in other cases.
The lead Ramirez plaintiff sued after his employer suffered a ransomware attack and his Social Security number was used to file unauthorized pandemic unemployment assistance claims. He asserted a negligence claim (among others) on the theory that the employer should have done more to protect its current and former employees’ personally identifiable information. The employer moved to dismiss, arguing that governing Georgia law did not impose a duty to safeguard that data from theft. And the district court granted the motion on the ground that the plaintiff had not adequately alleged that the harm was foreseeable.
The Eleventh Circuit reversed (in part) and held that the plaintiff had stated a plausible claim for relief under Georgia law. Although the state supreme court had not previously addressed the question, the Eleventh Circuit noted that “employers are typically expected to protect their employees from foreseeable dangers related to their employment” and reasoned that a large and sophisticated company “could have foreseen being the target of a cyberattack.” Because “data breach cases present unique challenges for plaintiffs at the pleading stage,” the court would not require a complaint to “detail every aspect of [a company’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts’” (quoting Sturbridge Partners, Ltd. v. Walker, 267 Ga. 785, 786, 482 S.E.2d 339, 341 (1997)).
The Ramirez opinion is likely to have ripple effects in other cases—at least until the state supreme court or legislature weighs in to clarify the scope of Georgia’s data-privacy laws. For example, the same Eleventh Circuit panel cited Ramirez in reversing a denial of leave to amend a data-breach complaint, Sheffler v. Americold Realty Tr., No. 22-11789 (11th Cir. June 9, 2023), and district courts made aware of Ramirez have requested additional briefing in other pending cases. At the very least, the revival of the Ramirez plaintiff’s claim underscores a recent observation from our colleague Michael Bahar: “The best thing to do in privacy is to avoid litigation, to avoid regulatory enforcement action, which is why we like having the litigators be the proactive compliance advisers.”
Posted By: Lee A. Peifer