Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII [personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data].
For this reason, cyber-criminals target myriad businesses in an attempt to steal [and then sell on the dark web] this data.
Also in Legal: Biometric Privacy Lawsuits Rising
If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?
I’ve covered this issue twice before [here and here], with different courts reaching opposite results [albeit the majority of them concluding that an employer can be held liable].
In AFGE v. OPM [In re United States OPM Data Sec. Breach Litig.], the D.C. Circuit Court of Appeals recently addressed a similar issue, and concluded that employee-victims have standing to sue their employer following a data breach from which their personal information and data is stolen. A “substantial risk of future identity theft” is sufficient harm to give rise to a lawsuit, and the “their claimed data breach-related injuries are fairly traceable to [their employer’s] failure to secure its information systems.”
All of these cases are legally interesting, and, I submit, largely practically insignificant. Regardless of whether you, as an employer, have a legal duty to protect the personal information and data of your employees, you still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of the information.
Moreover, as data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of harm to those who can both better afford it and better take measures to hedge against them. Thus, I predict that in five years or less we will have a legal consensus on liability.
The question, then, for you and your business to answer is what are you going to do about it now? The time to get your business’s cyber-house in order is now [actually, it was years ago, but let’s go with now if you’re late to the game]. Don’t wait for a court to hold you liable to your employees [and others?] after a data breach.
Thus, what should you be doing?
- Implementing reasonable security measures, which includes encryption, firewalls, secure and updated passwords, and employee training on how to protect against data breaches [such as how not fall victim to phishing attacks].
- If [or more accurately when] you suffer a data breach, timely advising employees of the breach as required by all applicable state laws.
- Training employees on appropriate data security.
- Drafting policies that explain the scope of your duty as an organization to protect employee data.
- Maintaining an updated data breach response plan.
Remember, data breaches are not an if issue, but a when issue. Once you understand the fact that you will suffer a breach, you should also understand the importance of making the issue of data security a priority in your organization. The average cost to a company of a data breach in 2018 is $3.9 million [and increasing annually]. While I generally don’t work in the business of guarantees, I will guarantee that any expenses you incur to mitigate the potential cost of a data breach is money well spent.
Employees' right to privacy in the workplace encompass an employee’s personal information and activities at work. Companies in the private sector, not working on a government contract, do have some legal obligations to their employees, but often company policy will dictate many of an employee’s privacy rights.
Personal Information
The law only protects personal information held by government agencies, not private companies. It is up to private employers to act in good faith with an employee’s information. Only a court can require the release of personal information. To ensure sensitive information is safe, the Texas Workforce Commission recommends following a few rules.
Regard all personal information about an employee’s personal characteristics, family and friends as private and confidential. Release information on employees only to those needing it for legitimate or legal reasons. Investigate all inquiries for information, keep records and use consent for release forms. Securely store sensitive documents and shred old documents. Do not mail anything with a Social Security Number, except allowed government forms outlined in Texas state law.
Job References
The law does not protect a private company’s employee information from being disclosed to a prospective employer. However, sharing employee information with third parties is not good practice [think: Social Security Number, date of birth, pay level, work schedule or full name].
According to the Texas Workforce Commission, it is good policy to research and document who is requesting information and why. Also have an employee in human resources handle the inquiry. It may also be advisable to get a written authorization from the employee before releasing any information.
Electronic Monitoring
A private company is allowed to monitor the phone, computer and email use of its employees. It is advisable that all monitoring policies be well defined, documented and given written acknowledgement by employees. If computer and email monitoring policies exist, they should clearly state that employees have no expectation of privacy while on company property or when using company resources.
Camera Monitoring
Video/camera monitoring of employees has laws that vary from state to state. New Hampshire, Maine, Delaware, Kansas and South Dakota, for example, all require notice to be given to employees if they are being recorded at all, according to Mobile Video Guard. Meanwhile in Florida, Alabama and Tennessee, hidden video surveillance can only occur legally in public places. But you must be in line with the definition of public places in your jurisdiction, as well. It is important to check the laws of your state with the state itself.
Drug And Alcohol Testing
Drug and alcohol testing is permitted within private companies, although drug testing records cannot legally be released. The policies regarding how, why and when employees are tested are not enforced by law, but a company should have a clear and known drug policy to avoid legal action.
Personal Searches
A private company can have a policy that allows it to search an employee, an employee’s workspace or an employee’s property, including a car, if it is on company property. That said, a personal search may lead to a variety of legal actions against an employer. Bodily searches are especially risky legally and should never be conducted with force. The Texas Workforce Commission recommends employers proceed with extreme caution when authorizing or conducting personal searches.
Invasion of privacy in the workplace can lead to a plethora of negative consequences, including a hostile, unproductive work environment or even a big lawsuit. To avoid these consequences, respect your employees and stay up-to-date with laws and regulations in your state and municipality.