Employers, it's crucial to ensure the safety of your employees' personal data. A recent legal case, Ramirez v. Paradies Shops, LLC, decided by the Eleventh Circuit Court of Appeals, underscores the responsibility of employers to protect their employees' personal information. This ruling highlights that employers owe a duty to their employees to safeguard personal data collected as part of their employment. Here's what you need to know:
Paradies Shops, LLC, faced a common predicament in October 2020 – a ransomware attack. Like many others, they became the subject of a class action lawsuit alleging negligence in safeguarding employee data during the attack. While the District Court initially dismissed the case, the Eleventh Circuit's decision upheld the claim brought by Carlos Ramirez, a former employee. Now the question is - Who is responsible for a cyber attack?
Why This Case Stands Out
Mr. Ramirez had worked for Hojeij Branded Foods for seven years, which later merged with Paradies Shops, making their employee database Paradies' property. Employees often provide personal information, like social security numbers, when they start a new job. During the ransomware attack, threat actors accessed files containing employees' names and social security numbers. Read more and grab tips to secure your application following a cyberattack.
In early 2021, Ramirez discovered that his social security number had been used fraudulently for a COVID unemployment compensation claim. Several months after the attack, Paradies Shops notified him that his data was compromised. Ramirez, representing a class, sued Paradies Shops for negligence and breach of implied contract.
The Court's Ruling
The Eleventh Circuit clarified the requirements for a negligence claim under Georgia law, which applies to this case. To succeed, a plaintiff must prove a breached duty, causation, and resulting damages. In this context, the court emphasised flexibility in applying existing standards and stated that a special relationship, such as that between employer and employee, justifies imposing a duty on the employer to assist the employee.
Paradies Shops argued that the criminal act of cybercriminals causing the breach was unforeseeable. However, the court noted that if the attack could have been anticipated, criminal actions wouldn't shield the defendant from liability.
The complaint alleged that Paradies failed to encrypt the database and didn't meet cybersecurity industry standards. It also claimed that given Paradies' business nature and industry warnings about ransomware attacks and the importance of a hide VPN, the breach was foreseeable.
What This Means for Employers
While the case isn't settled yet, its survival of a motion to dismiss implies increased legal costs for employers facing cyberattacks that compromise employee data. Even though no business can guarantee immunity from ransomware attacks, foreseeability and the duty to protect employee data should encourage employers to evaluate their security measures and adopt Hide Expert VPN as their first line of defence among other security measures to meet the required standard of care.
In conclusion, employers must take proactive steps to safeguard employee data, recognising the potential consequences of data breaches on both their employees and themselves.