Are you confident — “defending-a-class-action-lawsuit” confident — that you’re protecting electronic employee data?

It’s Cyber Monday. And, since you could’ve rested your deal-finding, typing fingers anywhere. I appreciate that you’re resting them with me before rejoining the masses for some holiday shopping online.

Unfortunately, if you came here looking for links to big savings, I can’t help you. But, what I can do for you on this Cyber Monday is offer your business some different cyber tips. It’s the type of information that could save you thousands, or even millions of dollars if your business stores employee data electronically.

Tip #1: Electronically-stored employee information is a treasure trove for hackers.

A few years ago, the employees of a Pennsylvania business filed a class action against their employer.

Usually, when I hear “employee class action,” I think something wage-related. But, not this one.

These employees claimed that their employer:

  1. forced them to provide specific sensitive personal and financial information as a condition of employment, which
  2. the company agreed to safeguard electronically, but
  3. didn’t do so, and
  4. there was a data breach.

The employees alleged that names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 employees and former employees were accessed and stolen from the company’s computer systems.

Rut roh!

Tip #2: You may have a duty to protect employee information from criminals.

(Now, remember. What I’m sharing with you here are just allegations in a complaint. There are two sides to this story. We just don’t know the other side yet…)

According to the complaint, the hackers tapped into the employer’s internet-accessible computer system because the company did not use adequate security measures, including proper encryption, adequate firewalls, and an appropriate authentication protocol. Consequently, the employees are accusing the business of common-law negligence.

Negligence?!?

Surely, an employer cannot be responsible for the criminal conduct of outside hackers. Indeed, the employer argued that it is not in the business of providing data security, was not retained to ensure data security, was not otherwise tasked with providing data security, and never pursued such an undertaking.

Not so, claimed the employees. They contended that, in collecting and storing the sensitive personal and financial information it required employees to provide, the company owed them each a duty to exercise reasonable care under the circumstances, which includes using reasonable measures to protect the information from the foreseeable risk of a data breach.

And, last week, a unanimous Pennsylvania Supreme Court agreed with the employees’ negligence theory.

It concluded that “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet accessible computer system.”

And why might the company be responsible for criminal hacking? Here’s what the Justices had to say:

“Employees allege that…their employer undertook the collection and storage of their requested sensitive personal data without implementing adequate security measures to protect against data breaches, including encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol. The alleged conditions surrounding [the employer’s] data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in [the employer’s] computer system and steal Employees’ information; thus, the data breach was ‘within the scope of the risk created by’ [the employer]…Therefore, the criminal acts of third parties in executing the data breach do not alleviate [the employer] of its duty to protect Employees’ personal and financial information from that breach.”

Although two lower courts had previously sided with the employer, the PA Supreme Court reversed and remanded the case so that the employees could continue to pursue their class action, subject to whatever defenses the employer may present.

Tip #3: Mitigate cyber risk.

Now,  your mileage may vary depending on where you do business. That is, the Pennsylvania Supreme Court’s ruling that companies have a common-law duty to protect their employees’ electronic data is limited to Pennsylvania.

Notwithstanding, no matter where you conduct business, cybersecurity should be on your front burner.

Since I’m not an IT wonk, I can’t tell you which security measures are the best.  However, this is a law blog. So, I can offer you some other best practices. And, to facilitate, I’m going to brag about one of my cyber-risk colleagues and explain some of what he does for clients to mitigate the risk of exposing electronic employee data to hackers and having to defend one of these nasty class actions.

He helps clients by:

  • drafting incident response planning documents,
  • hosting mock-breach “tabletop” presentations to clients,
  • opining on privacy and data and information security company policies,
  • analyzing insurance policies to ensure that you’re sufficiently covered in the event of a data breach, and
  • reviewing technology vendor/provider contract agreements and scope documents.

Additionally, if there is a data breach, a good cyber lawyer can network with quality breach response vendors (IT, forensics, e-discovery, public relations, breach notification, and others) and coordinate them in data breach response efforts.

Or, you can do nothing, clutch your pearls, maybe suffer a big data breach, and defend a class action lawsuit.

It’s up to you. But, IMHO, having some help from a good cyber lawyer makes sense.

 

“Doing What’s Right – Not Just What’s Legal”