Employers Can Be Liable for Not Protecting Employees’ Personally Identifiable Information
Feb 10, 2023 | Written by: Share
|Employers are entrusted with a substantial amount of personally identifiable information (PII) on their employees, such as birth dates, Social Security numbers, banking information, tax information, driver’s license numbers, and other information that hackers find quite valuable. While there are numerous New Jersey employment laws that address the privacy rights of employees by limiting an employer’s access to certain information, an employer’s legal duty to protect employees’ PII from data breaches is less defined. Employers in certain industries, such as healthcare, have specific legal duties to protect PII. A case recently before the Third Circuit has arguably extended such duties to other employers as well.
In Clemens v. ExecuPharm Inc., the plaintiff, a former employee of the defendant, was required to provide sensitive PII to her employer as a condition of employment. The plaintiff’s employment agreement stated that the defendant employer would “take appropriate measures to protect the confidentiality and security” of this information. After the plaintiff’s employment ended, a hacking group accessed the defendant’s servers and obtained PII belonging to current and former employees, including the plaintiff. The hacker threatened to publish the information on the dark web if the employer did not pay it a ransom. The defendant employer refused to pay the ransom, and the hacker followed through on its threat and published the PII on the dark web.
The defendant promptly notified the plaintiff of the breach. The plaintiff thereafter filed suit for negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. She filed her case in federal court under the Class Action Fairness Act. The district court dismissed the lawsuit, ruling that the plaintiff had no standing to bring the cause of action because she had not shown sufficient harm, noting that a plaintiff must show an injury-in-fact or a risk of imminent harm to have standing to sue. The court held that an “increased risk of identity theft resulting from a security breach,” was not enough. The court stated that the plaintiff failed to allege that she had experienced any actual identity theft or fraud.
A unanimous panel of the Third Circuit reversed and vacated the ruling. It held that the risk of harm (i.e., the risk of identity theft or fraud) was imminent, especially given the fact that the hacking group had already published the plaintiff’s PII. The majority also noted that the combination of stolen financial and personal information was “particularly concerning as it could be used to perpetrate both identity theft and fraud.” Thus, the Third Circuit is permitting the class action to proceed in the District Court.
This case illustrates how important it is for employers to go to great lengths to safeguard their employees’ PII. If an employer fails to do so, it may be liable to the employee (or former employee) if this information is leaked, even if the employee has not yet been the subject of identity theft or fraud. The mere threat that the employee could have his or her identity stolen is sufficient standing for the employee to sue.
If you would like to discuss this issue with one of our employment law attorneys, please feel free to contact our office.
Sharon M. Flynn, Esq. is a partner with Gebhardt & Kiefer, PC, and practices primarily in the areas of general litigation, employment law, and insurance defense.
If you have a suggestion for a future blog topic, please feel free to submit it via the Contact Us form.
Any statements made herein are solely for informational purposes only and should not be relied upon or construed as legal advice.