Thursday, June 27, 2019

Does an employer have a duty to protect the personal information of its employees? (Part 3)

Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII (personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data).

For this reason, cyber-criminals target myriad businesses in an attempt to steal (and then sell on the dark web) this data.

If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?

I’ve covered this issue twice before (here and here), with different courts reaching opposite results (albeit the majority of them concluding that an employer can be held liable).

In AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), the D.C. Circuit Court of Appeals recently addressed a similar issue, and concluded that employee-victims have standing to sue their employer following a data breach from which their personal information and data is stolen. A “substantial risk of future identity theft” is sufficient harm to give rise to a lawsuit, and the “their claimed data breach-related injuries are fairly traceable to [their employer’s] failure to secure its information systems.”

All of these cases are legally interesting, and, I submit, largely practically insignificant. Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.

Moreover, as data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of harm to those who can both better afford it and better take measures to hedge against them. Thus, I predict that in five years or less we will have a legal consensus on liability.

The question, then, for you and your business to answer is what are you going to do about it now? The time to get your business’s cyber-house in order is now (actually, it was years ago, but let’s go with now if you’re late to the game). Don’t wait for a court to hold you liable to your employees (and others?) after a data breach.

Thus, what should you be doing?

  1. Implementing reasonable security measures, which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches (such as how not fall victim to phishing attacks).

  2. If (or more accurately when) you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.

  3. Training employees on appropriate data security.

  4. Drafting policies that explain the scope of your duty as an organization to protect employee data.

  5. Maintaining an updated data breach response plan.

Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million (and increasing annually). While I generally don’t work in the business of guarantees, I will guarantee that any expenses you incur to mitigate the potential cost of a data breach is money well spent.

* Image by Steve Buissinne from Pixabay