Written by Aaron Wais
An appellate court in Pennsylvania recently dismissed an employee class action against their employer over a data breach, holding that the employer did not have a duty to protect its employees’ personal information (e.g., names, birth dates, social security numbers, bank information, etc.). While this was a significant victory for employers, non-Pennsylvania employers should temper their enthusiasm because courts in other states, including California, have made clear that employers do have a legal duty to protect their employees’ personal information. These courts have also made clear that the liability for a data breach differs when an employer has legally compliant, written policies for safeguarding private information and responding to data breaches in a timely manner.
By way of example, last year, a California federal court considered a class action over a data breach that resulted in the theft of all former and current employees’ W-2 statements, which included salary, benefit information, names and social security numbers of the employees and spouses. This information was used to file fraudulent tax returns. The Court held that the employer owed a legal duty to its former and current employees, as well as their spouses and dependents, to protect their personal information. It also found that the employer had breached this duty by allegedly failing to reasonably safeguard the employees’ personal information. The Court further ruled that a cognizable, non-speculative harm had been alleged; among other things, the Court cited the economic damage resulting from the filing of false returns and the out-of-pocket expenses of paying for identity theft protection.
The takeaway for California employers, as well as employers in other states who make the protection of personally identifiable information a priority like Massachusetts and New York, is to adhere to the following principles:
- Employers likely have a duty to take reasonable measures to safeguard their employees’ personal information. Such measures likely include (but are not limited to) ensuring the appropriate use of encryption, establishing adequate firewalls, implementing adequate authentication protocols for accessing computer systems and training employees on how to protect against data breaches (e.g., how not fall victim to phishing attacks).
- Employers also have a duty to advise employees in a timely and legally compliant manner about data breaches.
- To mitigate potential liability, employers should memorialize and train employees on the safeguards that are implemented. Employers should also memorialize a data breach response plan.
- Employers should review their employee handbooks and consider language that might limit their potential contractual liability for data breaches.
In sum, taking preventative measures now – whether to protect employees’ information or your customers’ information – can go a long way to remediating the situation when your computer systems are hacked and personal information is taken.