Commentary & Opinion

Do Employers Have a Duty to Protect Employees’ Personal Information?

By Jon Hyman

Jun. 27, 2019

Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII (personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data).

For this reason, cyber-criminals target myriad businesses in an attempt to steal (and then sell on the dark web) this data.

Also in Legal: Biometric Privacy Lawsuits Rising

If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?

I’ve covered this issue twice before (here and here), with different courts reaching opposite results (albeit the majority of them concluding that an employer can be held liable).

In AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), the D.C. Circuit Court of Appeals recently addressed a similar issue, and concluded that employee-victims have standing to sue their employer following a data breach from which their personal information and data is stolen. A “substantial risk of future identity theft” is sufficient harm to give rise to a lawsuit, and the “their claimed data breach-related injuries are fairly traceable to [their employer’s] failure to secure its information systems.”

All of these cases are legally interesting, and, I submit, largely practically insignificant. Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.

Moreover, as data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of harm to those who can both better afford it and better take measures to hedge against them. Thus, I predict that in five years or less we will have a legal consensus on liability.

The question, then, for you and your business to answer is what are you going to do about it now? The time to get your business’s cyber-house in order is now (actually, it was years ago, but let’s go with now if you’re late to the game). Don’t wait for a court to hold you liable to your employees (and others?) after a data breach.

Thus, what should you be doing?

  1. Implementing reasonable security measures, which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches (such as how not fall victim to phishing attacks).
  2. If (or more accurately when) you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.
  3. Training employees on appropriate data security.
  4. Drafting policies that explain the scope of your duty as an organization to protect employee data.
  5. Maintaining an updated data breach response plan.

Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million (and increasing annually). While I generally don’t work in the business of guarantees, I will guarantee that any expenses you incur to mitigate the potential cost of a data breach is money well spent.


Jon Hyman is a partner in the Employment & Labor practice at Wickens Herzer Panza. Contact Hyman at


blog workforce

We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labor spend and increase profitability across their business. It's as simple as that.

Book a call
See the software
workforce news

Relevant Videos

This is

Hi, My name is Meg and this is my introduction to

Case Study: COVIDCheck Colorado

Find out how powered vaccine sites with demand driven scheduling and attendance.

Related Articles

workforce blog


California’s push for a 32-hour workweek explained, and how to prepare

Summary: California is considering a 32-hour workweek bill for businesses with over 500 staff 4 day wee...

32 hour workweek, 4 day workweek, california, legislature, overtime

workforce blog


A business owner’s guide to restaurant tipping law

Business owners in the restaurant industry are in a unique position when it comes to employee tips. As ...

restaurants, tip laws, tipping

workforce blog


The 10-minute guide to 2021 labor law compliance

Labor laws are a potentially lethal minefield for companies, particularly in today’s turbulent labor ma...

compliance, HR, HR technology, human resources, labor law compliance

Read the magazine

workforce magazine