July 29, 2015

Can employees sue employers for data breach incidents?

Posted in Corporate Litigation, Employment Law by Gene Killian |

Years ago, we tried an employment case in which we used several blowups on poster board as demonstrative aids. (How quaint!)  One of the blowups was an employment record of the plaintiff that showed her social security number and other personal information. When the trial was over and justice was done (we appealed), one of our staff members absentmindedly threw some of the blowups into a dumpster behind our office. Shortly thereafter, a friend alerted me to the fact that the plaintiff’s social security number, driver’s license number, and other private information were on display in the dumpster for all to see.  We fortunately were able quickly to remedy the situation, and no harm was done.

I tell this story for a reason. Many of the data breach cases we see don’t involve sophisticated hackers from China or Uzbekistan; instead, they involve stupidity and “brain freezes” – lost flash drives, laptops stolen from unlocked cars, and confidential documents falling out of the back of vans, to name a few examples. Just as pilot error causes most plane crashes, human error allows many data breaches.  And human errors are endless.

The University of Pittsburgh Medical Center, for example, has been a target of numerous hacking incidents in the past few years, one of which happened when a file containing confidential patient information was mistakenly sent to the wrong e-mail address.  And in 2014, in another incident, UPMC revealed that it had been the target of a massive data breach, in which the personal records of all 62,000 of its employees (including social security numbers and bank account information) had been compromised.  Over 800 UPMC employees got ripped off when the hackers filed bogus tax returns.  You can read about the details of the incident by clicking here

Targeting healthcare organizations isn’t unusual for hackers.  91% of healthcare organizations have been the victim of at least one data breach. That’s because cyber-criminals are aware of two things: (1) healthcare organizations manage a huge amount of potentially lucrative personal information; and (2) like most companies, healthcare organizations don’t have the resources, processes, and technologies necessary to prevent and detect attacks and to protect data adequately.

This being America, a plaintiffs’ firm filed a class action complaint against UPMC in Pennsylvania state court as a result of the massive breach. The main issue was whether employees could sue their employer for negligently allowing the employees’ personal information to be hacked.  The Court answered no, finding that the Pennsylvania legislature had considered the question of data breach, and had concluded that the only obligation of companies victimized by data breaches is to notify those affected. The Court also noted that the only losses allegedly suffered by the vast majority of the UPMC employees were “economic losses.” According to the Court: “Under the economic loss doctrine, no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.”

The Court also dismissed the plaintiffs’ claim for breach of implied contract. The plaintiffs had argued that as part of their employment agreement, in exchange for the employees providing confidential information, UPMC had undertaken an implied obligation to keep such information safe. The Court disagreed, writing: “I am dismissing [the contract claim] because there are no factual allegations supporting a finding of an agreement between the parties under which UPMC agreed to be liable to its employees for criminal acts of third parties.”

Like Pennsylvania, New Jersey has a statute establishing the obligations of companies following a data breach. The provisions are contained in a section of the New Jersey Consumer Fraud Act, and appear at N.J.S.A. §56:8-161.  (Federal statutes such as HIPAA also contain notice requirements.)  And, like Pennsylvania companies, New Jersey companies are required to notify their customers and clients of security breaches compromising “personal information.” “Personal information” includes Social Security numbers, driver’s license numbers, and bank account numbers. Upon discovery of a breach, companies must first notify the State Police, and then must notify any customer who is a resident of New Jersey and whose “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.” The statute does not refer to “employees,” but it defines “customer” as “an individual who provides personal information to a business.” That’s a pretty broad definition, and it’s not hard to imagine a plaintiff’s lawyer arguing that the definition, by its terms, includes employees, regardless of the “customer” label.

So what’s a company to do? First, if there’s a data breach affecting your employees, we recommend treating them as “customers” regardless of the absence of legal requirements to do so.  This means providing immediate notice to law enforcement and to the employees themselves so that they can protect themselves. That’s, in fact, what UPMC did in response to the breach. While UPMC’s response may not have prevented a class action complaint from being filed, it was the right thing to do, and, in the event of litigation, would help perch a “white hat” squarely on top of UPMC’s head. Second, get in touch with your insurance broker about obtaining (or renewing) cyberliability coverage. For many businesses (especially non-retail businesses and those not maintaining medical information), the coverage isn’t particularly expensive, and it can provide protection for the costs of notifying customers of a data breach, as well as for the cost of remedying the breach (among other things). The remedy can be quite expensive, since “fixing” breached records cost about $200 per record.

By the way, you can read the Pennsylvania state court decision by clicking here.