Commentary & Opinion
By Jon Hyman
Jun. 27, 2019
Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII (personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data).
For this reason, cyber-criminals target myriad businesses in an attempt to steal (and then sell on the dark web) this data.
If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?
In AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), the D.C. Circuit Court of Appeals recently addressed a similar issue, and concluded that employee-victims have standing to sue their employer following a data breach from which their personal information and data is stolen. A “substantial risk of future identity theft” is sufficient harm to give rise to a lawsuit, and the “their claimed data breach-related injuries are fairly traceable to [their employer’s] failure to secure its information systems.”
All of these cases are legally interesting, and, I submit, largely practically insignificant. Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.
Moreover, as data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of harm to those who can both better afford it and better take measures to hedge against them. Thus, I predict that in five years or less we will have a legal consensus on liability.
The question, then, for you and your business to answer is what are you going to do about it now? The time to get your business’s cyber-house in order is now (actually, it was years ago, but let’s go with now if you’re late to the game). Don’t wait for a court to hold you liable to your employees (and others?) after a data breach.
Thus, what should you be doing?
Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million (and increasing annually). While I generally don’t work in the business of guarantees, I will guarantee that any expenses you incur to mitigate the potential cost of a data breach is money well spent.
We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labor spend and increase profitability across their business. It's as simple as that.
Hi, My name is Meg and this is my introduction to Workforce.com
Find out how Workforce.com powered vaccine sites with demand driven scheduling and attendance.
LegalCalifornia’s push for a 32-hour workweek explained, and how to prepare
Summary: California is considering a 32-hour workweek bill for businesses with over 500 staff 4 day wee...
32 hour workweek, 4 day workweek, california, legislature, overtime
LegalA business owner’s guide to restaurant tipping law
Business owners in the restaurant industry are in a unique position when it comes to employee tips. As ...
restaurants, tip laws, tipping
ComplianceThe 10-minute guide to 2021 labor law compliance
Labor laws are a potentially lethal minefield for companies, particularly in today’s turbulent labor ma...
compliance, HR, HR technology, human resources, labor law compliance