[BreachExchange] Employer Liability for Data Breaches: Where Are We Now?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/employer-liability-for-data-breaches-66513/

When a data breach places employees’ information at risk, is the employer
liable? We’ve continued to track legal actions against employers based on
data breaches, but we still don’t have clear guidance from the courts.

We do know that any business or organization has certain obligations when a
data breach occurs. Forty-seven states and the District of Columbia require
private or governmental entities to notify affected individuals of security
breaches involving personally identifiable information. Employers need to
understand the requirements of the jurisdictions in which they do business,
and should have a plan in place to respond immediately if a breach occurs,
because there are significant statutory penalties for failure to comply
with data breach notification requirements.

Compliance with data breach notification laws is an essential start, but
does not necessarily protect an employer from liability for damage to
employees that may occur as a result of a data exposure. Individuals and
groups of employees have made claims based on the release of personally
identifiable information through data breaches.  Those who do so, however,
can’t base their claims on speculation or the threat of future harm. Courts
are unwilling to allow lawsuits based on data breaches to proceed unless
the plaintiffs can show that they have suffered some concrete harm beyond
the compromise of personal data. In one case, a federal court in California
held that the use of employee data obtained in a breach to file fraudulent
tax returns, and the costs an employee incurs to pay for identity theft
protection, are sufficiently concrete to support a claim against an
employer.

This week, a Pennsylvania federal court weighed in, finding in favor of
Coca-Cola Co. in a former employee’s proposed class action for identity
theft.  Several dozen laptops that contained employees’ personal
information were stolen from Coca-Cola, and a former employee subsequently
became the victim of fraud.  He blamed the company for the release of his
information and claimed that Coca-Cola had explicitly or implicitly
promised to secure his personal data in its multiple policies relating to
information security.  After reviewing the company’s policies, the court
disagreed, holding that Coca-Cola had no contractual obligation to secure
employees’ personal information.  Although ultimately favorable to the
employer, the court’s holding indicated that Coca-Cola could be held liable
for breaching specific duties it assumed in its Code of Conduct and written
policies.

With the Coca-Cola decision in mind, and as we watch for additional
developments, employers can continue to manage their risk of legal
liability for data breaches that expose employees’ personal data.  Here are
some tips:

- Exercise reasonable care in the management of personally identifiable
information about employees.
- Take cybersecurity seriously and take steps to minimize the risk of data
breaches.
- Review policies and codes of conduct related to the handling of data.
Make certain that they do not promise absolute protection or security of
employees’ data and that they are specific about what the employer will do
and what the employer expects employees to do.
- Respond swiftly to suspected data breaches and other events – like the
theft of computers – that could result in data breaches.
- When breaches occur, or are suspected, consider affirmative steps, such
as paying for credit monitoring or identity theft protection, to address
employees’ fears.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170411/bae872c5/attachment.html>