If a cyber-attack at work creates imminent risk of identity theft or fraud, your employees can sue you!


Think of all the personal, sensitive information that an individual shares with you just to have the opportunity to earn a living as an employee of your company.

As part of onboarding, new employees provide their home address, social security number, bank and financial account numbers for direct deposit, insurance and tax information, a passport, and possibly information relating to a spouse and child for tax purposes.

I read a Third Circuit opinion last night about a giant biopharmaceutical company employee who provided this information shortly after she was hired. After leaving the company, she claims that a well-known hacking group accessed her former employer’s servers and stole her personal information (and the personal information of many other employees). The hackers eventually posted it on the Dark Web, an underground black market where individuals buy and sell this type of information.

So, she sued her employer for negligence, among other things. The theory was that the company had a duty to protect her private information, but it didn’t, and she suffered harm or imminent future harm.

The employer responded with a motion to dismiss, which the lower court granted. It reasoned that the plaintiff’s risk of future harm was too speculative since she did not allege that anyone had done anything nefarious with her personal information — apart from posting it on the Dark Web.

The Third Circuit Court of Appeals disagreed.

It concluded that the plaintiff’s injury was sufficiently imminent to give her standing to sue. For example, the plaintiff’s knowledge of the substantial identity theft risk caused her to spend money on mitigation measures like credit monitoring services. That, plus the emotional distress of being hacked, were enough to allege a concrete injury.

Yes, companies have a duty to safeguard not only private customer information but also sensitive employee data. Here’s more from the Third Circuit:

In an increasingly digitalized world, an employer’s duty to protect its employees’ sensitive information has significantly broadened. Information security is no longer a matter of keeping a small universe of sensitive, hard-copy paperwork under lock and key. Now, employers maintain massive datasets on digital networks. In order to protect the data, they must implement appropriate security measures and ensure that those measures continue to comply with ever-changing industry standards.

Failure to satisfy this duty could leave employer networks vulnerable to data breach, subjecting data breach victims to a unique kind of harm: the perpetual risk of identity theft or fraud, necessitating the investment of time and money to hopefully mitigate that risk. With rare exception, where multiple pieces of personally identifying information about a given consumer are stolen and then publicized, one can draw a reasonable inference that the victims of the data breach face an imminent risk of identity theft or fraud. 

I’m fortunate to work with a team of cyber-risk, privacy, and data security attorneys who know how to mitigate the risk of a hacking event and respond in the event of a data breach, where time is of the essence.

Now that Summer is over, I’m bringing back The Employer Handbook Zoom Happy Hour. Please email me if you’d like to have “cybersecurity and employment” as one of the topics.

“Doing What’s Right – Not Just What’s Legal”
Contact Information