By Aaron Wais

It is tax season, which means that criminals are busy trying to steal people’s tax information (e.g., names, addresses, social security numbers, income information), which they can use to file fraudulent tax returns and steal tax refunds.

As an employer, you likely maintain your employees’ tax information and, thus, are a target.  Indeed, criminals regularly target employers and hack their databases or pose as company executives and send a phishing email asking for all employees’ W-2s for accounting purposes.

As such, it is important to understand your duty to protect your employees’ personal information, as well as potential liability for failing to do so.  Most states, including California, make clear that employers have a legal duty to protect their employees’ personal information.  These courts also make clear that whether an employer has legally compliant, written policies for protecting private information and responding to data breaches will heavily inform whether and the extent of an employer’s liability for a data breach.

For example, last year, a California federal court considered a class action over a data breach resulting in the theft of all former and current employees’ W-2 statements, which included salary, benefit information, names and social security numbers of the employees and spouses.  The court held that the employer owed a legal duty to its former and current employees, as well as their spouses and dependents, to protect their personal information.  It also found that the employer had breached this duty by allegedly failing to reasonably safeguard the employees’ personal information.  The Court further ruled that a non-speculative harm had been alleged; among other things, the Court cited the economic damage resulting from the filing of false returns and the out-of-pocket expenses of paying for identity theft protection.

The takeaway for employers is to know their legal duties to safeguard their employees’ personal information and to advise employees in a timely and legally compliant manner about data breaches.  In addition, employers should:

• Assess what information they possess and the safeguards in place.

• Establish and memorialize legally compliant reasonable measures to safeguard their employees’ personal information (e.g., appropriate use of encryption, establishing adequate firewalls, and implementing adequate authentication protocols).

• Establish and memorialize legally compliant policies and procedures for responding to a data breach.

• Train employees on the safeguards that are implemented.

• Review their employee handbooks and consider language that might limit their potential contractual liability for data breaches.