When a data breach places employees’ information at risk, is the employer liable? We’ve continued to track legal actions against employers based on data breaches, but we still don’t have clear guidance from the courts.
We do know that any business or organization has certain obligations when a data breach occurs. Forty-seven states and the District of Columbia require private or governmental entities to notify affected individuals of security breaches involving personally identifiable information. Employers need to understand the requirements of the jurisdictions in which they do business, and should have a plan in place to respond immediately if a breach occurs, because there are significant statutory penalties for failure to comply with data breach notification requirements.
Compliance with data breach notification laws is an essential start, but does not necessarily protect an employer from liability for damage to employees that may occur as a result of a data exposure. Individuals and groups of employees have made claims based on the release of personally identifiable information through data breaches. Those who do so, however, can’t base their claims on speculation or the threat of future harm. Courts are unwilling to allow lawsuits based on data breaches to proceed unless the plaintiffs can show that they have suffered some concrete harm beyond the compromise of personal data. In one case, a federal court in California held that the use of employee data obtained in a breach to file fraudulent tax returns, and the costs an employee incurs to pay for identity theft protection, are sufficiently concrete to support a claim against an employer.
This week, a Pennsylvania federal court weighed in, finding in favor of Coca-Cola Co. in a former employee’s proposed class action for identity theft. Several dozen laptops that contained employees’ personal information were stolen from Coca-Cola, and a former employee subsequently became the victim of fraud. He blamed the company for the release of his information and claimed that Coca-Cola had explicitly or implicitly promised to secure his personal data in its multiple policies relating to information security. After reviewing the company’s policies, the court disagreed, holding that Coca-Cola had no contractual obligation to secure employees’ personal information. Although ultimately favorable to the employer, the court’s holding indicated that Coca-Cola could be held liable for breaching specific duties it assumed in its Code of Conduct and written policies.
With the Coca-Cola decision in mind, and as we watch for additional developments, employers can continue to manage their risk of legal liability for data breaches that expose employees’ personal data. Here are some tips:
- Exercise reasonable care in the management of personally identifiable information about employees.
- Take cybersecurity seriously and take steps to minimize the risk of data breaches.
- Review policies and codes of conduct related to the handling of data. Make certain that they do not promise absolute protection or security of employees’ data and that they are specific about what the employer will do and what the employer expects employees to do.
- Respond swiftly to suspected data breaches and other events – like the theft of computers – that could result in data breaches.
- When breaches occur, or are suspected, consider affirmative steps, such as paying for credit monitoring or identity theft protection, to address employees’ fears.