Employers May Be Liable for the Release of Employees' Personally Identifying Information in Data Breaches
December 5, 2018
It seems that reports of hackers breaching a business’s security measures to obtain customer information appear on an almost weekly basis. Unfortunately, businesses need to worry not only about the unauthorized access of customer data by hackers, but also the unauthorized access of sensitive employee information as well.
The Pennsylvania Supreme Court recently held in Dittman v. UPMC that employers have a duty to use reasonable care to protect the unauthorized release of their employees’ data, and that they could be liable to their employees for release of that data even where it was the result of a third-party’s criminal activity. Several other cases have been brought around the country, including a 150,000 member class action brought by the National Treasury Employees’ Union against the United States Office of Personnel Management, as a result of the hacking of employee data.
Employers in New York are prohibited from communicating an employee’s personal identifying information (“PII”) to the general public by Section 203-d of the New York Labor Law (“NYLL”). PII includes social security numbers, home addresses, telephone numbers, personal email addresses, internet screen names and passwords, a parent’s surname before marriage, and drivers’ license numbers.
In Sackin v. Transperfect Global, Inc., Judge Schofield of the U.S. District Court for the Southern District of New York held that NYLL § 203-d gave the plaintiffs a private right of action against their employer for the unauthorized release of their PII due to a data breach. At least one Transperfect employee received a phishing email, purporting to be from the CEO, that was actually sent by hackers, and provided the hackers with the W-2 forms and payroll information of all current and former Transperfect employees. The plaintiffs alleged that Transperfect failed to train its employees on data security, to utilize firewalls, and to maintain retention and destruction protocols for PII. They also asserted that hackers could use the employees’ PII to fraudulently obtain loans and credit cards, and to fraudulently file tax returns. After the breach, Transperfect offered the plaintiffs two years of free identity theft monitoring, but the plaintiffs purchased services to prevent identity theft instead.
The court found that the risks of identity theft set forth by the plaintiffs, as well as the costs incurred in purchasing identity theft protection services, gave the plaintiffs standing to sue their employer. Like the Pennsylvania Supreme Court in Dittman, it also acknowledged an employer’s duty to reasonably protect its employees’ PII. Ultimately, the court allowed the plaintiffs to proceed with their class-action against Transperfect under theories of negligence, negligence per se, breach of implied contract, and unjust enrichment, in addition to the statutory claim under NYLL § 203-d that was recognized by the court.
As this is an emerging area of the law, it is unclear whether an employer that took reasonable measures to avoid the breach of its data systems by hackers would be able to avoid liability. However, an employer will likely be in a better position to defend itself if it can show that it made reasonable efforts to secure its systems, updated its security measures periodically, and trained employees regularly regarding how to recognize phishing e-mails and other attempts to gain unauthorized access to confidential information.
Although most employers strive to protect their employees’ PII, it is clear that in this day and age even the most secure systems are vulnerable to attack by sophisticated hackers. In the event that your business’s data systems are breached and employee, customer, client or other third-party data is released, our firm can assist you in responding and complying with all applicable reporting requirements.