Thursday, December 18, 2014

Lesson from the Sony Pictures Hack: Protection of Employee Information

Last week, we briefly discussed the fallout from the devastating hack of Sony Pictures.  This week the news for Sony is only getting worse, leading to that company’s decision to pull The Interview from theaters after threats were made against employees, theaters and movie-goers.  So far, the hack has uncovered emails documenting casual racism and gender wage gaps at Sony, among many other revelations. While each new disclosure by the “Guardians of Peace” certainly impacts Sony, and may impact the motion picture industry as a whole, there is one aspect of the hack and its aftermath that has much broader implications and should be on the radar of all employers: the class action lawsuit brought by Sony employees affected by the breach.
 
The lawsuit against Sony alleges that the hack accessed social security numbers, salaries, medical information, and other sensitive information of more than 47,000 current and former employees, due to Sony’s “business decision to accept the risk” that they could get hacked.  The claims in the class action, which include negligence and violations of California and Virginia data protection laws, also allege that Sony knew its vulnerabilities and failed to encrypt or password-protect employee information, even while putting enhanced data security, now shown to be inadequate, around the company’s movies.
 
This is not the first legal action brought against an employer because of a data breach. Earlier this year, for example, employees of the University of Pittsburgh Medical Center brought suit alleging that the Medical Center failed to properly safeguard their private information.  That lawsuit claims that approximately 62,000 employees were affected when the employers’ information system was hacked, with some employees becoming victims of tax fraud while others had their identities stolen.  In another case, the Federal Trade Commission brought an action and eventually settled with Ceridian, a popular cloud-based HR service provider, because of Ceridian’s allegedly inadequate security measures, which the FTC claimed affected more than 65,000 people.
 
So far, the courts have not provided employers meaningful guidance about their responsibility to protect employee information from unauthorized electronic access.  The Sony and UPMC lawsuits may or may not result in such guidance.  Having watched employment litigation for decades, we’re inclined to think that these two cases – and the others that will inevitably come – will attempt to answer classic negligence questions.  What are the limits of the employer’s duty to protect electronic employment records? What should a reasonable employer do? What safeguards are available, and which should a reasonable employer use to protect sensitive employee information?  These are questions that can’t be answered without an understanding of both employment law and cybersecurity.  Tomorrow, our friends Tom Caswell and Hernan Cipriotti will chime in on this topic in a guest blog discussing lessons employers can take away from the hacks of Sony and others.
 
Posted by:  Kate Bischoff and Judy Langevin