Carlos Ramirez v. The Paradies Shops, LLC

Summarize Case

Related Cases

USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 1 of 15 [PUBLISH] In the United States Court of Appeals For the Eleventh Circuit ____________________ No. 22-12853 ____________________ CARLOS RAMIREZ, on behalf of himself and all others similarly situated, Plaintiff-Appellant, versus THE PARADIES SHOPS, LLC, a Georgia limited liability company, Defendant-Appellee. ____________________ Appeal from the United States District Court for the Northern District of Georgia USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 2 of 15 2 Opinion of the Court 22-12853 D.C. Docket No. 1:21-cv-03758-ELR ____________________ Before JILL PRYOR and DUBINA, Circuit Judges, and COVINGTON,* District Judge. COVINGTON, District Judge: Carlos Ramirez worked for a company later acquired by the Paradies Shops. He, like many employees, entrusted his employer with sensitive personally identifiable information (PII). In October 2020, Paradies suffered a ransomware attack on its administrative systems in which cybercriminals obtained the Social Security num- bers of Ramirez and other current and former employees. Shortly after learning of the data breach, Ramirez brought claims for neg- ligence and breach of implied contract on behalf of himself and those affected by the data breach, arguing Paradies should have protected the PII. He now appeals from the district court’s order granting Paradies’s motion to dismiss for failure to state a claim. He contends the district court demanded too much at the pleadings stage. With the benefit of oral argument, we agree in part. While we affirm the dismissal of the breach of implied contract claim, we reverse the district court’s dismissal of Ramirez’s negligence claim and remand for further proceedings. *Honorable Virginia M. Covington, United States District Judge for the Mid- dle District of Florida, sitting by designation. USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 3 of 15 22-12853 Opinion of the Court 3 I. BACKGROUND According to Ramirez’s complaint, he worked for Hojeij Branded Foods (HBF) from 2007 to 2014. After Ramirez left HBF, Paradies acquired HBF and its database of current and former em- ployees. Paradies operates retail stores and restaurants primarily in airports throughout the United States and Canada. It has over $1 billion in sales and employs more than 10,000 people. The employees of Paradies and the companies it acquired had to provide PII about themselves and their beneficiaries as a condition of employment. At the time of the data breach, Paradies maintained records containing the PII, including names and Social Security numbers, of more than 76,000 current or former employ- ees. The sensitivity of this type of PII, particularly Social Security numbers, is well-known. Once stolen, fraudulent use of that infor- mation—and the resulting damage to victims—can continue for years. Ramirez alleged he was careful with his sensitive infor- mation. He relied on Paradies, a sophisticated company, to simi- larly keep his PII confidential and securely maintained, to use the information only for business purposes, and to make only author- ized disclosures. Despite his precautions, in early 2021, state offices in Rhode Island and Kentucky informed Ramirez that pandemic unemploy- ment assistance claims had been filed in his name. Neither claim was authorized, and both claims required the use of his Social Se- curity number. USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 4 of 15 4 Opinion of the Court 22-12853 A few months later, Paradies notified Ramirez about a data breach incident. According to the notice, Paradies was the victim of a ransomware attack in October 2020, which affected “only an internal, administrative system.” But the attacker uploaded records to third-party servers, and Paradies’s investigation reflected that Ramirez’s “name, as well as [his] Social Security Number, were contained in the file(s).” Ramirez filed this putative class action on behalf of himself and those who had their data accessed as part of the data breach, asserting claims for breach of implied contract and negligence.1 Ramirez said that he spent time dealing with the data breach and suffered annoyance, anxiety, an increased risk of fraud and identity theft, and a diminution in the value of his PII. Ramirez al- leged that the harms he suffered were a foreseeable result of Paradies’s inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining. He described data se- curity recommendations from the United States government and Microsoft as examples of security procedures Paradies should have used. And he claimed that Paradies could have prevented the data breach by properly securing and encrypting the files containing PII and destroying older data about former employees. He asserted 1Ramirez also asserted claims for invasion of privacy and breach of confi- dence, but he withdrew those claims in response to Paradies’s motion to dis- miss. The district court treated those claims as abandoned, and Ramirez has not contested that on appeal. USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 5 of 15 22-12853 Opinion of the Court 5 that Paradies knew or should have known that failing to do so in- volved a risk of harm even if the harm occurred through the crim- inal acts of a third party. Paradies moved to dismiss under Rule 12(b)(6), arguing that it did not owe Ramirez a duty to safeguard his data under Georgia law and that Ramirez failed to allege the terms of any implied con- tract. The district court granted Paradies’s motion to dismiss, find- ing Ramirez’s negligence claim failed because he did not ade- quately allege that Paradies could have foreseen the harm. For guidance, the court looked to Purvis v. Healthcare, 563 F. Supp. 3d 1360 (N.D. Ga. 2021), in which another district court in Georgia found it was “common sense” that an entity receiving PII from pa- tients and employees as a condition of medical care and employ- ment had some obligation to protect that information from reason- ably foreseeable threats. In this case, the district court reasoned that Ramirez’s allegations of foreseeability were less specific than those in Purvis because Ramirez alleged neither that Paradies had actual knowledge of public announcements about data breaches nor any particular reason to be aware of them. The court also dismissed Ramirez’s breach of implied contract claim because he did not al- lege how Paradies or HBF manifested an intent to provide data se- curity as part of an employment agreement. II. DISCUSSION In this diversity case, we review de novo whether the district court correctly forecast and applied Georgia law in dismissing USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 6 of 15 6 Opinion of the Court 22-12853 Ramirez’s claims. 2 See SA Palm Beach, LLC v. Certain Underwriters at Lloyd’s London, 32 F.4th 1347, 1356 (11th Cir. 2022). We consider “whatever might lend [us] insight” to show how the Georgia Su- preme Court would decide the issues at hand. Id. at 1356-57. We accept the facts alleged in the complaint as true and con- strue them in the light most favorable to Ramirez, drawing on our judicial experience and common sense. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1321-22, 1324 (11th Cir. 2012). At the pleading stage, a complaint must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). “Plaintiffs must plead all facts establishing an entitlement to relief with more than ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action.’” Resnick, 693 F.3d at 1324 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). “The complaint must contain enough facts to make a claim for relief plausible on its face; a party must plead ‘factual content that allows the court to draw the reasonable inference that the de- fendant is liable for the misconduct alleged.’” Id. at 1324-25 (quot- ing Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. 2 The district court in its order and the parties on appeal have elected, without a choice-of-law analysis, to rely on Georgia law, so we apply Georgia law as well. See AT&T Mobility, LLC v. NASCAR, Inc., 494 F.3d 1356, 1360 n.7 (11th Cir. 2007). USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 7 of 15 22-12853 Opinion of the Court 7 A. Negligence In analyzing Ramirez’s negligence claim, we first review Georgia’s traditional tort principles regarding the existence of a duty of care. We then apply those principles to Ramirez’s allega- tions. i. Duty of Care To state a viable negligence claim under Georgia law, a plaintiff must allege (1) a duty on the part of the defendant, (2) a breach of that duty, (3) causation of the alleged injury, and (4) dam- ages resulting from the alleged breach of the duty. Rasnick v. Krishna Hosp., Inc., 713 S.E.2d 835, 837 (Ga. 2011). Whether, and to what extent, the defendant owes the plaintiff a duty of care is a threshold question of law. City of Rome v. Jordan, 426 S.E.2d 861, 862 (Ga. 1993). The duty can arise from a statute or “be imposed by a common law principle recognized in the caselaw.” Rasnick, 713 S.E.2d at 837. On appeal, Ramirez concedes that Paradies does not owe him a statutory duty of care, so we look to Georgia’s decisional law for a duty. While we will not impose “a new, judicially-created duty,” Rasnick v. Krishna Hosp., Inc., 690 S.E.2d 670, 674 (Ga. Ct. App. 2010), we are not bound by “a restrictive and inflexible ap- proach” that “does not square with common sense or tort law.” Sturbridge Partners v. Walker, 482 S.E.2d 339, 340 (Ga. 1997) (discuss- ing how to determine whether a risk is reasonably foreseeable). At the outset, the parties hotly contest the application of two recent Georgia Supreme Court cases, but neither case answers the USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 8 of 15 8 Opinion of the Court 22-12853 duty of care question before us today. In Department of Labor v. McConnell, the Georgia Supreme Court disapproved “a purported common law duty ‘to all the world not to subject [others] to an unreasonable risk of harm.’” 828 S.E.2d 352, 358 (Ga. 2019) (quot- ing Bradley Ctr. v. Wessner, 296 S.E.2d 693, 695 (Ga. 1982)) (explain- ing that language was neither a correct statement of the law nor controlling of the result in Bradley Center, “which was based on a ‘special relationship’ between the plaintiff and the defendant”). The court thus rejected McConnell’s reliance on Bradley Center for the proposition that the Georgia Department of Labor owed him a duty “to safeguard and protect” his personal information, including his Social Security number, from inadvertent disclosure. Id. The court expressly declined to consider whether a duty might arise from any other statutory 3 or common law source, as no such argu- ment had been made in that case. Id. at 358 n.5. Not long after that, in Collins v. Athens Orthopedic Clinic, P.A., the Georgia Supreme Court recognized a cognizable injury where a criminal theft of the plaintiffs’ personal data allegedly put them at an imminent and substantial risk of identity theft. 837 S.E.2d 310, 316-18 (Ga. 2019). But the Collins court also left the breach of duty issue for another day. Id. at 315-16 (noting that the “easier showing of injury” in cases “where the data exposure occurs as a result of an 3The Georgia Supreme Court also rejected McConnell’s argument that this duty arose under two Georgia statutes, O.C.G.A. §§ 10-1-393.8 and 10-1-910, but neither is relevant to this case. USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 9 of 15 22-12853 Opinion of the Court 9 act by a criminal” “may well be offset by a more difficult showing of breach of duty”). Without clear guidance from Georgia courts on the asserted duty to safeguard PII, we must “apply traditional tort law” to Ramirez’s alleged injury to determine whether Paradies owed him a duty of care. Id. at 316 n.7. “A person is under no duty to rescue another from a situa- tion of peril which the former has not caused.” City of Douglasville v. Queen, 514 S.E.2d 195, 198-99 (Ga. 1999) (quoting Alexander v. Har- nick, 237 S.E.2d 221, 222 (Ga. Ct. App. 1977)) (emphasis added). But, “if the defendant’s own negligence has been responsible for the plaintiff’s situation, a relation has arisen which imposes a duty to make a reasonable effort to give assistance, and avoid any further harm.” Thomas v. Williams, 124 S.E.2d 409, 413 (Ga. Ct. App. 1962) (“[W]hen some special relation exists between the parties, social policy may justify the imposition of a duty to assist or rescue one in peril.”). Cf. CSX Transp., Inc. v. Williams, 608 S.E.2d 208, 209 (Ga. 2005) (recognizing that policy plays an important role in fixing the bounds of a duty). In other words, “[t]raditional negligence princi- ples provide that the creator of a potentially dangerous situation has a duty to do something about it so as to prevent injury to others . . . that is, the creator has a duty to eliminate the danger or give warning to others of its presence.” City of Winder v. Girone, USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 10 of 15 10 Opinion of the Court 22-12853 462 S.E.2d 704, 705 (Ga. 1995) (internal citations and quotation marks omitted). 4 That said, for many types of negligent conduct, the scope of the duty owed by a defendant is “generally limited to reasonably foreseeable risks of harm.” Maynard v. Snapchat, Inc., 870 S.E.2d 739, 745 n.3 (Ga. 2022) (collecting cases). “Negligence is predicated on what should be anticipated, rather than on what happened, be- cause one is not bound to anticipate or foresee and provide against what is unlikely, remote, slightly probable, or slightly possible.” Amos v. City of Butler, 529 S.E.2d 420, 422 (Ga. Ct. App. 2000). Additionally, while the intervening criminal act of a third person will often insulate a defendant from liability for an original act of negligence, that rule does not apply when the defendant had reason to anticipate the criminal act. See Lillie v. Thompson, 332 U.S. 459, 460-62 (1947) (holding that employers have a duty to anticipate and protect their employees from foreseeable dangers at the work- place even though the danger came from the criminal act of a third party); Atl. C. L. R. Co. v. Godard, 86 S.E.2d 311, 315 (Ga. 1955) (same); see also Doe v. Prudential-Bache/A.G. Spanos Realty Partners, L.P., 492 S.E.2d 865, 866 (Ga. 1997) (landlord and tenants); Se. Stages v. Stringer, 437 S.E.2d 315, 318 (Ga. 1993) (common carriers and 4Georgia courts have also long recognized duties arising out of the employer- employee relationship. See, e.g., CSX Transp., Inc., 608 S.E.2d at 209 (“Under Georgia statutory and common law, an employer owes a duty to his employee to furnish a reasonably safe place to work and to exercise ordinary care and diligence to keep it safe.” (citation omitted)). USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 11 of 15 22-12853 Opinion of the Court 11 passengers); Bradley Center, 296 S.E.2d at 696 (doctors and mental health patients); Restatement (Second) of Torts, § 302B, cmt. e. But Georgia courts will not expand traditional tort concepts merely be- cause a harm is foreseeable. Rasnick, 713 S.E.2d at 839 (“[L]egal duty must be tailored so that the consequences of wrongs are lim- ited to a controllable degree.”); CSX Transp., 608 S.E.2d at 209-10; City of Douglasville, 514 S.E.2d at 198. With these common law principles in mind, we turn to whether Ramirez stated a claim for negligence. ii. Sufficiency of the Complaint On appeal, Ramirez contends the district court asked for too much specificity at the pleading stage. We agree and reverse the district court’s grant of Paradies’s motion to dismiss with respect to Ramirez’s negligence claim. Paradies may not owe a duty to all the world, but it still owes a duty of care to those with whom it has as special relationship. See McConnell, 828 S.E.2d at 358; Thomas, 124 S.E.2d at 413. Employers must obtain sensitive PII about their employees for tax and busi- ness purposes, so it is no surprise HBF required Ramirez to disclose his Social Security number as a condition of employment. After Paradies acquired HBF’s records, however, it allegedly maintained Ramirez’s unencrypted PII in an internet-accessible database with tens of thousands of other current and former employees and failed to comply with industry standards to protect the PII from cyberat- tacks. Leaving this substantial database unsecured created a “po- tentially dangerous situation” whereby cybercriminals could USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 12 of 15 12 Opinion of the Court 22-12853 improperly access and exploit this PII, so Paradies needed “to do something about it.” City of Winder, 462 S.E.2d at 705. It is also sig- nificant that they were not strangers. Paradies (through HBF) ob- tained Ramirez’s PII as a condition of employment, and employers are typically expected to protect their employees from foreseeable dangers related to their employment. Cf. CSX Transp., Inc., 608 S.E.2d at 209; Lillie, 332 U.S. at 462, n.4; Godard, 86 S.E.2d at 315. Of course, any duty owed by Paradies is limited to reasona- bly foreseeable risks of harm. See CSX Transp., 608 S.E.2d at 209. Ramirez alleged that the data breach was reasonably foreseeable in light of Paradies’s failure to take adequate security measures de- spite industry warnings and advice on how to prevent and detect ransomware attacks. And, with more than 10,000 current employ- ees and $1 billion in sales, Paradies is far from a small business. See O.C.G.A. § 50-5-121(3) (providing that a “small business” has 300 or fewer employees or $30 million or less in gross receipts per year). Drawing on our judicial experience and common sense, we can reasonably infer that a company of Paradies’s size and sophistica- tion—especially one maintaining such an extensive database of prior employees’ PII—could have foreseen being the target of a cyberattack. Resnick, 693 F.3d at 1324-25. Given that foreseeability, Paradies is not shielded from liability by the intervening criminal act of the cybercriminals. See Godard, 86 S.E.2d at 315. In finding Ramirez had not sufficiently alleged foreseeabil- ity, the district court emphasized Ramirez did not allege that the USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 13 of 15 22-12853 Opinion of the Court 13 threat of cyberattacks was especially well-known to Paradies or its type of business, that ransomware attacks were extremely com- mon, or that Paradies knew it faced a particularly high risk of a data breach. But data breach cases present unique challenges for plain- tiffs at the pleading stage. A plaintiff may know only what the com- pany has disclosed in its notice of a data breach. Even if some plain- tiffs can find more information about a specific data breach, there are good reasons for a company to keep the details of its security procedures and vulnerabilities private from the public and other cybercriminal groups. We cannot expect a plaintiff in Ramirez’s po- sition to plead with exacting detail every aspect of Paradies’s secu- rity history and procedures that might make a data breach foresee- able, particularly where “the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts.” Sturbridge Partners, 482 S.E.2d at 341 (citation and quotation marks omitted). Under the circumstances, Ramirez did enough under the Twombly and Iqbal standard to plead foreseeability. See Resnick, 693 F.3d at 1324-25. In short, while data breach cases present a “fairly new kind of injury,” Ramirez has sufficiently pled the existence of a special relationship and a foreseeable risk of harm. Collins, 837 S.E.2d at 316 n.7. As a result, Georgia’s traditional negligence principles are flexible enough to cover Ramirez’s allegations. B. Breach of Implied Contract Ramirez’s appeal from the dismissal of his breach of implied contract claim is easier to resolve. Generally, “to enforce a specific USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 14 of 15 14 Opinion of the Court 22-12853 contract provision, a party must demonstrate a ‘meeting of the minds’ as to the key contract provisions.” Iraola & CIA., S.A. v. Kim- berlyClark Corp., 325 F.3d 1274, 1285 (11th Cir. 2003). “‘If there is any essential term upon which agreement is lacking, no meeting of the minds of the parties exists, and a valid and binding contract has not been formed.’” Id. (quoting AutoOwners Ins. Co. v. Crawford, 525 S.E.2d 118, 120 (Ga. Ct. App. 1999)). Notwithstanding the bare assertion that Paradies or HBF agreed to safeguard his PII by implied contract, we agree with the district court that Ramirez failed to allege any facts from which we could infer HBF agreed to be bound by any data retention or pro- tection policy. Without those facts, Ramirez provides only “labels and conclusions” insufficient to plead a breach of implied contract. Resnick, 693 F.3d at 1324. III. CONCLUSION We recognize that policy plays an important role in fixing the bounds of a defendant’s duty under Georgia law. As the Geor- gia Supreme Court has noted, “traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this, tradeoffs that may well be better resolved by the legislative process.” Collins, 837 S.E.2d at 316 n.7. Nevertheless, having applied Georgia’s traditional tort principles, we conclude Ramirez has pled facts giving rise to a duty of care on the part of Paradies. Getting past summary judgment may prove a tougher challenge, but Ramirez has pled enough for his negligence claim to survive a Rule 12(b)(6) motion to dismiss. USCA11 Case: 22-12853 Document: 38-1 Date Filed: 06/05/2023 Page: 15 of 15 22-12853 Opinion of the Court 15 The district court’s dismissal of Ramirez’s breach of implied contract claim is AFFIRMED. We REVERSE the dismissal of Ramirez’s negligence claim and REMAND for further proceedings consistent with this opinion.