Everything these days is online, it seems. So it is not too surprising that a court recently ruled that an employer has a duty to protect its employees from cybertheft. That is precisely what the U.S. Court of Appeals for the Eleventh Circuit ruled in Ramirez v. The Paradies Shops, LLC.
In that case, a Carlos Ramirez, on behalf of himself and a class of similarly-situated current and former employees, sued his former employer (a large company operating hundreds of retail shops in airports, hotels, and other locations), claiming that the employer was negligent in failing to protect employees’ personally identifiable information (“PII”) from a ransomware attack. In particular, the former employee argued that the company did not sufficiently protect the PII from cyber-attack and breached its duty to the employees by maintaining employee PII, including Social Security numbers, on an unencrypted, internet-accessible drive. While the court applied Georgia law, the legal principles applied are similar to other states, including California.
The Eleventh Circuit found that the company required its employees to provide PII as a condition of employment and “employers are typically expected to protect their employees from foreseeable dangers related to their employment.” Given the company’s size and sophistication as well as the amount of data at risk (“extensive database of prior employees’ PII”), it was foreseeable that it would be the target of a cyber-attack and that it had a duty to take reasonable steps to protect its employees’ PII.
For employers in California (where employment laws are even more stringent), the message is clear: take appropriate measures to protect employees’ PII. The level of protection and the amount of concomitant investment depends on a number of factors including the size of the company and the nature of the operations. Still, being proactive is key. If you are a California employer and have questions, contact the attorneys at Navigato & Battin, LLP for assistance.