Does an Employer Have a Duty to Protect the Personal Information of Its Employees?

Consider the following scenario.

An employer discovers that an employee who worked in its information technology department had been stealing older laptop computers. Some of those computers had been used in the employer’s human resources department and contained former employees’ personal information (including Social Security numbers and drivers’ license numbers), which the company collected on each employee at the time of hire.

The employer attempts to recover the stolen computers and informs its employees of the data breach. Some time later, however, an employee learns that several of his accounts with online retailers were compromised and used to make unauthorized purchases.

He sues his employer for, among other claims, breach of contract (based on the company’s data security policy in its employee handbook) and negligence. Who wins?

These are the facts the 3rd Circuit Court of Appeals recently considered in Enslin v. Coca-Cola Co. In opinion drafted by twice-SCOTUS bridesmaid Thomas Hardiman, the court found for the employer. It concluded that the employee could not prevail because he could not establish that the employer caused his damages. The harm flowed “from the compromise of his retail accounts rather than directly from … [the] theft of his personal information,” and the employee presented “no evidence from which a reasonable jury could conclude that his accounts were compromised because information was gleaned from the stolen laptops.”

Similar to Enslin is Dittman v. UPMC d/b/a the University of Pittsburgh Medical Center, in which a Pennsylvania appellate court held that an employer “did not owe a duty of reasonable care in its collection and storage of the employees’ information and data.” The court found it “unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.”

Do not, however, allow these cases to lull you, as an employer, into a false sense of immunity from claims by employees following data breaches. Indeed, several other courts that have examined this issues have reached the opposite result.

• • Sackin v. TransPerfect Global, Inc. (S.D.N.Y. 10/4/17): “Employees ordinarily have no means to protect that information in the hands of the employer, nor is withholding their PII a realistic option. The employer is best positioned to avoid the harm in question. Employees — much more than employers — suffer the harmful consequences of a data breach of the employer. Potential liability in the absence of reasonable care provides employers with an economic incentive to act reasonably in protecting employee PII from the threat of cyberattack.” 
  • Hapka v. CareCentrix, Inc. (D. Kan. 12/19/16): Employer “owed a [common law] duty to Plaintiff and the Class to exercise reasonable care in obtaining, securing, safeguarding, deleting, and protecting Plaintiff and Class members’ personal and tax information within its control from being compromised, lost, stolen, accessed, and misused by unauthorized persons.”

Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.

What should you be doing?

1. 1. Implementing reasonable security measures, which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches (such as how not fall victim to phishing attacks).
   2. If (or more accurately when) you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.
   3. Training employees on appropriate data security.
   4. Drafting policies that explain the scope of your duty as an organization to protect employee data.
   5. Maintaining an updated data breach response plan.

Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million (and increasing annually). While I don’t work in the business of guarantees, I can guarantee that any expenses you incur to mitigate potential cost of a data breach is money well spent.