Let’s explore this a little bit.
In one case, Enslin v. Coca-Cola, the employer discovered that an employee who worked in its information technology department had been stealing older laptop computers. Some of those computers had been used in the employer’s human resources department and contained former employees’ personal information (including social security numbers and drivers’ license numbers), which the company collected on each employee at the time of hire.
The employer attempted to recover the stolen computers and informed its employees of the data breach. Now, at some point, the plaintiff had learned that several of his accounts with online retailers were compromised and used to make unauthorized purchases.
He sued his employer for, among other claims, breach of contract (based on the company’s data security policy in its employee handbook) and negligence.
Well, the court found for the employer. It concluded that the employee could not prevail because he could not establish that the employer caused his damages. The harm flowed “from the compromise of his retail accounts rather than directly from the theft of his personal information,” and the employee presented “no evidence from which a reasonable jury could conclude that his accounts were compromised because information was gleaned from the stolen laptops.”
In another case similar to this one, an appellate court held that an employer “did not owe a duty of reasonable care in its collection and storage of the employees’ information and data.” The court found it “unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.”
Do not, however, allow these cases to lull you, as an employer, into a false sense of immunity from claims by employees following data breaches. Indeed, several other courts that have examined this issues have reached the opposite result.
So, keep in mind, regardless of whether you, as an employer, have a “legal duty” to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.
Here are some common sense suggestions.
- Talk to your IT person and implement some safeguards which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches.
- If you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.
- Train your staff on appropriate data security.
- Draft a policy (if you do not have one) that explain the scope of your duty as an organization to protect employee data.
- Maintain an updated data breach response plan.
Remember, in today’s climate of cyber attacks, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The cost of data breaches is significant. Get ahead of the curve.