Carlos Ramirez v. The Paradies Shops, LLC ( 2023 )

USCA11 Case: 22-12853      Document: 38-1      Date Filed: 06/05/2023   Page: 1 of 15
[PUBLISH]
In the
United States Court of Appeals
For the Eleventh Circuit
____________________
No. 22-12853
____________________
CARLOS RAMIREZ,
on behalf of himself and all others similarly situated,
Plaintiff-Appellant,
versus
THE PARADIES SHOPS, LLC,
a Georgia limited liability company,
Defendant-Appellee.
____________________
Appeal from the United States District Court
for the Northern District of Georgia
USCA11 Case: 22-12853       Document: 38-1        Date Filed: 06/05/2023      Page: 2 of 15
2                        Opinion of the Court                    22-12853
D.C. Docket No. 1:21-cv-03758-ELR
____________________
Before JILL PRYOR and DUBINA, Circuit Judges, and COVINGTON,*
District Judge.
COVINGTON, District Judge:
Carlos Ramirez worked for a company later acquired by the
Paradies Shops. He, like many employees, entrusted his employer
with sensitive personally identifiable information (PII). In October
2020, Paradies suffered a ransomware attack on its administrative
systems in which cybercriminals obtained the Social Security num-
bers of Ramirez and other current and former employees. Shortly
after learning of the data breach, Ramirez brought claims for neg-
ligence and breach of implied contract on behalf of himself and
those affected by the data breach, arguing Paradies should have
protected the PII. He now appeals from the district court’s order
granting Paradies’s motion to dismiss for failure to state a claim.
He contends the district court demanded too much at the pleadings
stage. With the benefit of oral argument, we agree in part. While
we affirm the dismissal of the breach of implied contract claim, we
reverse the district court’s dismissal of Ramirez’s negligence claim
and remand for further proceedings.
*Honorable Virginia M. Covington, United States District Judge for the Mid-
dle District of Florida, sitting by designation.
USCA11 Case: 22-12853       Document: 38-1      Date Filed: 06/05/2023      Page: 3 of 15
22-12853                Opinion of the Court                          3
I.     BACKGROUND
According to Ramirez’s complaint, he worked for Hojeij
Branded Foods (HBF) from 2007 to 2014. After Ramirez left HBF,
Paradies acquired HBF and its database of current and former em-
ployees. Paradies operates retail stores and restaurants primarily in
airports throughout the United States and Canada. It has over $1
billion in sales and employs more than 10,000 people.
The employees of Paradies and the companies it acquired
had to provide PII about themselves and their beneficiaries as a
condition of employment. At the time of the data breach, Paradies
maintained records containing the PII, including names and Social
Security numbers, of more than 76,000 current or former employ-
ees.
The sensitivity of this type of PII, particularly Social Security
numbers, is well-known. Once stolen, fraudulent use of that infor-
mation—and the resulting damage to victims—can continue for
years. Ramirez alleged he was careful with his sensitive infor-
mation. He relied on Paradies, a sophisticated company, to simi-
larly keep his PII confidential and securely maintained, to use the
information only for business purposes, and to make only author-
ized disclosures.
Despite his precautions, in early 2021, state offices in Rhode
Island and Kentucky informed Ramirez that pandemic unemploy-
ment assistance claims had been filed in his name. Neither claim
was authorized, and both claims required the use of his Social Se-
curity number.
USCA11 Case: 22-12853        Document: 38-1       Date Filed: 06/05/2023       Page: 4 of 15
4                        Opinion of the Court                    22-12853
A few months later, Paradies notified Ramirez about a data
breach incident. According to the notice, Paradies was the victim
of a ransomware attack in October 2020, which affected “only an
internal, administrative system.” But the attacker uploaded records
to third-party servers, and Paradies’s investigation reflected that
Ramirez’s “name, as well as [his] Social Security Number, were
contained in the file(s).”
Ramirez filed this putative class action on behalf of himself
and those who had their data accessed as part of the data breach,
asserting claims for breach of implied contract and negligence.1
Ramirez said that he spent time dealing with the data breach
and suffered annoyance, anxiety, an increased risk of fraud and
identity theft, and a diminution in the value of his PII. Ramirez al-
leged that the harms he suffered were a foreseeable result of
Paradies’s inadequate security practices and its failure to comply
with industry standards appropriate to the nature of the sensitive,
unencrypted information it was maintaining. He described data se-
curity recommendations from the United States government and
Microsoft as examples of security procedures Paradies should have
used. And he claimed that Paradies could have prevented the data
breach by properly securing and encrypting the files containing PII
and destroying older data about former employees. He asserted
1Ramirez also asserted claims for invasion of privacy and breach of confi-
dence, but he withdrew those claims in response to Paradies’s motion to dis-
miss. The district court treated those claims as abandoned, and Ramirez has
not contested that on appeal.
USCA11 Case: 22-12853       Document: 38-1      Date Filed: 06/05/2023      Page: 5 of 15
22-12853                Opinion of the Court                          5
that Paradies knew or should have known that failing to do so in-
volved a risk of harm even if the harm occurred through the crim-
inal acts of a third party.
Paradies moved to dismiss under Rule 12(b)(6), arguing that
it did not owe Ramirez a duty to safeguard his data under Georgia
law and that Ramirez failed to allege the terms of any implied con-
tract.
The district court granted Paradies’s motion to dismiss, find-
ing Ramirez’s negligence claim failed because he did not ade-
quately allege that Paradies could have foreseen the harm. For
guidance, the court looked to Purvis v. Healthcare, 

 (N.D. Ga. 2021), in which another district court in Georgia
found it was “common sense” that an entity receiving PII from pa-
tients and employees as a condition of medical care and employ-
ment had some obligation to protect that information from reason-
ably foreseeable threats. In this case, the district court reasoned that
Ramirez’s allegations of foreseeability were less specific than those
in Purvis because Ramirez alleged neither that Paradies had actual
knowledge of public announcements about data breaches nor any
particular reason to be aware of them. The court also dismissed
Ramirez’s breach of implied contract claim because he did not al-
lege how Paradies or HBF manifested an intent to provide data se-
curity as part of an employment agreement.
II.    DISCUSSION
In this diversity case, we review de novo whether the district
court correctly forecast and applied Georgia law in dismissing
USCA11 Case: 22-12853         Document: 38-1         Date Filed: 06/05/2023         Page: 6 of 15
6                          Opinion of the Court                       22-12853
Ramirez’s claims. 2 See SA Palm Beach, LLC v. Certain Underwriters at
Lloyd’s London, 

, 1356 (11th Cir. 2022). We consider
“whatever might lend [us] insight” to show how the Georgia Su-
preme Court would decide the issues at hand. Id. at 1356-57.
We accept the facts alleged in the complaint as true and con-
strue them in the light most favorable to Ramirez, drawing on our
judicial experience and common sense. See Resnick v. AvMed, Inc.,

, 1321-22, 1324 (11th Cir. 2012). At the pleading stage,
a complaint must contain a “short and plain statement of the claim
showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2).
“Plaintiffs must plead all facts establishing an entitlement to relief
with more than ‘labels and conclusions’ or ‘a formulaic recitation
of the elements of a cause of action.’” Resnick, 

(quoting Bell Atl. Corp. v. Twombly, 

, 555 (2007)).
“The complaint must contain enough facts to make a claim
for relief plausible on its face; a party must plead ‘factual content
that allows the court to draw the reasonable inference that the de-
fendant is liable for the misconduct alleged.’” Id. at 1324-25 (quot-
ing Ashcroft v. Iqbal, 

, 678 (2009)). “A claim has facial
plausibility when the plaintiff pleads factual content that allows the
court to draw the reasonable inference that the defendant is liable
for the misconduct alleged.” Iqbal, 

.
2 The district court in its order and the parties on appeal have elected, without
a choice-of-law analysis, to rely on Georgia law, so we apply Georgia law as
well. See AT&T Mobility, LLC v. NASCAR, Inc., 

, 1360 n.7 (11th
Cir. 2007).
USCA11 Case: 22-12853       Document: 38-1     Date Filed: 06/05/2023      Page: 7 of 15
22-12853               Opinion of the Court                          7
A.     Negligence
In analyzing Ramirez’s negligence claim, we first review
Georgia’s traditional tort principles regarding the existence of a
duty of care. We then apply those principles to Ramirez’s allega-
tions.
i.      Duty of Care
To state a viable negligence claim under Georgia law, a
plaintiff must allege (1) a duty on the part of the defendant, (2) a
breach of that duty, (3) causation of the alleged injury, and (4) dam-
ages resulting from the alleged breach of the duty. Rasnick v.
Krishna Hosp., Inc., 

, 837 (Ga. 2011). Whether, and to
what extent, the defendant owes the plaintiff a duty of care is a
threshold question of law. City of Rome v. Jordan, 

, 862
(Ga. 1993). The duty can arise from a statute or “be imposed by a
common law principle recognized in the caselaw.” Rasnick,

.
On appeal, Ramirez concedes that Paradies does not owe
him a statutory duty of care, so we look to Georgia’s decisional law
for a duty. While we will not impose “a new, judicially-created
duty,” Rasnick v. Krishna Hosp., Inc., 

, 674 (Ga. Ct.
App. 2010), we are not bound by “a restrictive and inflexible ap-
proach” that “does not square with common sense or tort law.”
Sturbridge Partners v. Walker, 

, 340 (Ga. 1997) (discuss-
ing how to determine whether a risk is reasonably foreseeable).
At the outset, the parties hotly contest the application of two
recent Georgia Supreme Court cases, but neither case answers the
USCA11 Case: 22-12853       Document: 38-1        Date Filed: 06/05/2023      Page: 8 of 15
8                        Opinion of the Court                    22-12853
duty of care question before us today. In Department of Labor v.
McConnell, the Georgia Supreme Court disapproved “a purported
common law duty ‘to all the world not to subject [others] to an
unreasonable risk of harm.’” 

, 358 (Ga. 2019) (quot-
ing Bradley Ctr. v. Wessner, 

, 695 (Ga. 1982)) (explain-
ing that language was neither a correct statement of the law nor
controlling of the result in Bradley Center, “which was based on a
‘special relationship’ between the plaintiff and the defendant”). The
court thus rejected McConnell’s reliance on Bradley Center for the
proposition that the Georgia Department of Labor owed him a
duty “to safeguard and protect” his personal information, including
his Social Security number, from inadvertent disclosure. 

 The
court expressly declined to consider whether a duty might arise
from any other statutory 3 or common law source, as no such argu-
ment had been made in that case. 

 at 358 n.5.
Not long after that, in Collins v. Athens Orthopedic Clinic, P.A.,
the Georgia Supreme Court recognized a cognizable injury where
a criminal theft of the plaintiffs’ personal data allegedly put them at
an imminent and substantial risk of identity theft. 

,
316-18 (Ga. 2019). But the Collins court also left the breach of duty
issue for another day. Id. at 315-16 (noting that the “easier showing
of injury” in cases “where the data exposure occurs as a result of an
3The Georgia Supreme Court also rejected McConnell’s argument that this
duty arose under two Georgia statutes, O.C.G.A. §§ 10-1-393.8 and 10-1-910,
but neither is relevant to this case.
USCA11 Case: 22-12853       Document: 38-1      Date Filed: 06/05/2023      Page: 9 of 15
22-12853                Opinion of the Court                          9
act by a criminal” “may well be offset by a more difficult showing
of breach of duty”).
Without clear guidance from Georgia courts on the asserted
duty to safeguard PII, we must “apply traditional tort law” to
Ramirez’s alleged injury to determine whether Paradies owed him
a duty of care. Id. at 316 n.7.
“A person is under no duty to rescue another from a situa-
tion of peril which the former has not caused.” City of Douglasville v.
Queen, 

, 198-99 (Ga. 1999) (quoting Alexander v. Har-
nick, 

, 222 (Ga. Ct. App. 1977)) (emphasis added).
But, “if the defendant’s own negligence has been responsible for
the plaintiff’s situation, a relation has arisen which imposes a duty
to make a reasonable effort to give assistance, and avoid any further
harm.” Thomas v. Williams, 

, 413 (Ga. Ct. App. 1962)
(“[W]hen some special relation exists between the parties, social
policy may justify the imposition of a duty to assist or rescue one
in peril.”). Cf. CSX Transp., Inc. v. Williams, 

, 209 (Ga.
2005) (recognizing that policy plays an important role in fixing the
bounds of a duty). In other words, “[t]raditional negligence princi-
ples provide that the creator of a potentially dangerous situation
has a duty to do something about it so as to prevent injury to others
. . . that is, the creator has a duty to eliminate the danger or give
warning to others of its presence.” City of Winder v. Girone,
USCA11 Case: 22-12853       Document: 38-1         Date Filed: 06/05/2023        Page: 10 of 15
10                        Opinion of the Court                     22-12853

, 705 (Ga. 1995) (internal citations and quotation
marks omitted). 4
That said, for many types of negligent conduct, the scope of
the duty owed by a defendant is “generally limited to reasonably
foreseeable risks of harm.” Maynard v. Snapchat, Inc., 

, 745 n.3 (Ga. 2022) (collecting cases). “Negligence is predicated
on what should be anticipated, rather than on what happened, be-
cause one is not bound to anticipate or foresee and provide against
what is unlikely, remote, slightly probable, or slightly possible.”
Amos v. City of Butler, 

, 422 (Ga. Ct. App. 2000).
Additionally, while the intervening criminal act of a third
person will often insulate a defendant from liability for an original
act of negligence, that rule does not apply when the defendant had
reason to anticipate the criminal act. See Lillie v. 

 U.S.
459, 460-62 (1947) (holding that employers have a duty to anticipate
and protect their employees from foreseeable dangers at the work-
place even though the danger came from the criminal act of a third
party); Atl. C. L. R. Co. v. Godard, 

, 315 (Ga. 1955)
(same); see also Doe v. Prudential-Bache/A.G. Spanos Realty Partners,
L.P., 

, 866 (Ga. 1997) (landlord and tenants); Se. Stages
v. Stringer, 

, 318 (Ga. 1993) (common carriers and
4Georgia courts have also long recognized duties arising out of the employer-
employee relationship. See, e.g., CSX Transp., Inc., 

 (“Under
Georgia statutory and common law, an employer owes a duty to his employee
to furnish a reasonably safe place to work and to exercise ordinary care and
diligence to keep it safe.” (citation omitted)).
USCA11 Case: 22-12853     Document: 38-1      Date Filed: 06/05/2023     Page: 11 of 15
22-12853               Opinion of the Court                        11
passengers); Bradley Center, 

 (doctors and mental
health patients); Restatement (Second) of Torts, § 302B, cmt. e. But
Georgia courts will not expand traditional tort concepts merely be-
cause a harm is foreseeable. Rasnick, 

 (“[L]egal
duty must be tailored so that the consequences of wrongs are lim-
ited to a controllable degree.”); CSX Transp., 

;
City of Douglasville, 

.
With these common law principles in mind, we turn to
whether Ramirez stated a claim for negligence.
ii.    Sufficiency of the Complaint
On appeal, Ramirez contends the district court asked for too
much specificity at the pleading stage. We agree and reverse the
district court’s grant of Paradies’s motion to dismiss with respect
to Ramirez’s negligence claim.
Paradies may not owe a duty to all the world, but it still owes
a duty of care to those with whom it has as special relationship. See
McConnell, 

; Thomas, 

. Employers
must obtain sensitive PII about their employees for tax and busi-
ness purposes, so it is no surprise HBF required Ramirez to disclose
his Social Security number as a condition of employment. After
Paradies acquired HBF’s records, however, it allegedly maintained
Ramirez’s unencrypted PII in an internet-accessible database with
tens of thousands of other current and former employees and failed
to comply with industry standards to protect the PII from cyberat-
tacks. Leaving this substantial database unsecured created a “po-
tentially dangerous situation” whereby cybercriminals could
USCA11 Case: 22-12853      Document: 38-1      Date Filed: 06/05/2023     Page: 12 of 15
12                     Opinion of the Court                  22-12853
improperly access and exploit this PII, so Paradies needed “to do
something about it.” City of Winder, 

. It is also sig-
nificant that they were not strangers. Paradies (through HBF) ob-
tained Ramirez’s PII as a condition of employment, and employers
are typically expected to protect their employees from foreseeable
dangers related to their employment. Cf. CSX Transp., Inc.,

; Lillie, 332 U.S. at 462, n.4; Godard, 

.
Of course, any duty owed by Paradies is limited to reasona-
bly foreseeable risks of harm. See CSX Transp., 

.
Ramirez alleged that the data breach was reasonably foreseeable in
light of Paradies’s failure to take adequate security measures de-
spite industry warnings and advice on how to prevent and detect
ransomware attacks. And, with more than 10,000 current employ-
ees and $1 billion in sales, Paradies is far from a small business. See
O.C.G.A. § 50-5-121(3) (providing that a “small business” has 300
or fewer employees or $30 million or less in gross receipts per year).
Drawing on our judicial experience and common sense, we can
reasonably infer that a company of Paradies’s size and sophistica-
tion—especially one maintaining such an extensive database of
prior employees’ PII—could have foreseen being the target of a
cyberattack. Resnick, 

. Given that foreseeability,
Paradies is not shielded from liability by the intervening criminal
act of the cybercriminals. See Godard, 

.
In finding Ramirez had not sufficiently alleged foreseeabil-
ity, the district court emphasized Ramirez did not allege that the
USCA11 Case: 22-12853     Document: 38-1      Date Filed: 06/05/2023     Page: 13 of 15
22-12853               Opinion of the Court                        13
threat of cyberattacks was especially well-known to Paradies or its
type of business, that ransomware attacks were extremely com-
mon, or that Paradies knew it faced a particularly high risk of a data
breach. But data breach cases present unique challenges for plain-
tiffs at the pleading stage. A plaintiff may know only what the com-
pany has disclosed in its notice of a data breach. Even if some plain-
tiffs can find more information about a specific data breach, there
are good reasons for a company to keep the details of its security
procedures and vulnerabilities private from the public and other
cybercriminal groups. We cannot expect a plaintiff in Ramirez’s po-
sition to plead with exacting detail every aspect of Paradies’s secu-
rity history and procedures that might make a data breach foresee-
able, particularly where “the question of reasonable foreseeability
of a criminal attack is generally for a jury’s determination rather
than summary adjudication by the courts.” Sturbridge Partners, 

 (citation and quotation marks omitted). Under the
circumstances, Ramirez did enough under the Twombly and Iqbal
standard to plead foreseeability. See Resnick, 

.
In short, while data breach cases present a “fairly new kind
of injury,” Ramirez has sufficiently pled the existence of a special
relationship and a foreseeable risk of harm. Collins, 837 S.E.2d at
316 n.7. As a result, Georgia’s traditional negligence principles are
flexible enough to cover Ramirez’s allegations.
B.     Breach of Implied Contract
Ramirez’s appeal from the dismissal of his breach of implied
contract claim is easier to resolve. Generally, “to enforce a specific
USCA11 Case: 22-12853     Document: 38-1      Date Filed: 06/05/2023     Page: 14 of 15
14                     Opinion of the Court                 22-12853
contract provision, a party must demonstrate a ‘meeting of the
minds’ as to the key contract provisions.” Iraola & CIA., S.A. v. Kim-
berlyClark Corp., 

, 1285 (11th Cir. 2003). “‘If there is
any essential term upon which agreement is lacking, no meeting of
the minds of the parties exists, and a valid and binding contract has
not been formed.’” 

 (quoting AutoOwners Ins. Co. v. Crawford,

, 120 (Ga. Ct. App. 1999)).
Notwithstanding the bare assertion that Paradies or HBF
agreed to safeguard his PII by implied contract, we agree with the
district court that Ramirez failed to allege any facts from which we
could infer HBF agreed to be bound by any data retention or pro-
tection policy. Without those facts, Ramirez provides only “labels
and conclusions” insufficient to plead a breach of implied contract.
Resnick, 

.
III.   CONCLUSION
We recognize that policy plays an important role in fixing
the bounds of a defendant’s duty under Georgia law. As the Geor-
gia Supreme Court has noted, “traditional tort law is a rather blunt
instrument for resolving all of the complex tradeoffs at issue in a
case such as this, tradeoffs that may well be better resolved by the
legislative process.” Collins, 837 S.E.2d at 316 n.7. Nevertheless,
having applied Georgia’s traditional tort principles, we conclude
Ramirez has pled facts giving rise to a duty of care on the part of
Paradies. Getting past summary judgment may prove a tougher
challenge, but Ramirez has pled enough for his negligence claim to
survive a Rule 12(b)(6) motion to dismiss.
USCA11 Case: 22-12853     Document: 38-1     Date Filed: 06/05/2023    Page: 15 of 15
22-12853              Opinion of the Court                       15
The district court’s dismissal of Ramirez’s breach of implied
contract claim is AFFIRMED. We REVERSE the dismissal of
Ramirez’s negligence claim and REMAND for further proceedings
consistent with this opinion.