The ubiquitous nature of high-profile and embarrassing data breaches has left many organizations scrambling to protect outsider information. Regulations like GDPR and state laws like California’s Consumer Privacy Act (CCPA) are forcing the action, persuading businesses of all sizes to take the necessary steps to protect consumer information. Yet far too often, many of these same businesses forget to protect the most obvious informational asset in their possession: the personally identifiable information (PII) of employees.
Breach of Employee Information
A company’s failure to protect employee PII is becoming an increasingly serious area of corporate exposure. In November of last year retail giant Nordstrom, with more than seventy-thousand workers to its name, revealed a breach involving employee information. The exposure of the employees’ personal data included sensitive information like names, social security numbers, dates of birth, salaries, and even checking account and routing numbers. In similar fashion, software company Citrix suffered a breach after hackers accessed its internal network for a continuous period of almost six months. The company only became aware of the intrusion after receiving a heads up from the FBI. The breach prompted the Company to provide notice to past and present employees that the bad actors had removed files from Citrix systems containing sensitive information.
“[C]yber criminals had intermittent access to our network between October 13, 2018, and March 8, 2019, and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents.”
– Citrix Breach Notification
Citrix now faces a class action lawsuit from an ex-employee. The lawsuit is just one of a few in the last two years — all cases that continue to shape the law concerning employer liability over the loss of employee information.
Employer’s Legal Duty to Safeguard Personal Information
Just last year, the Pennsylvania Supreme Court ruled in a landmark case that employers have a “legal duty to safeguard” the personal information of their employees.  This responsibility arises out of common law duties, meaning these legal responsibilities come from the decisions made in court cases (i.e., case law). In the Pennsylvania case, the Court held that the employer had a duty to exercise reasonable care and use reasonable measures to protect employee information from the risk of a data breach. Other federal courts around the country have come to similar conclusions:
- “The employer is best positioned to avoid the harm in question [a data breach].”
- “The court agrees with Plaintiff that requiring identification of a statutory duty is unnecessary . . . [and therefore] defendant had the duty to exercise reasonable care to prevent that harm [of a data breach].”
This duty to protect employee information sometimes goes beyond common law, even extending to specific state information security laws. In California, the law requires businesses to “implement and maintain reasonable security procedures and practices.” According to past reports issued by the California Attorney General, “reasonable” security measures involve an implementation of the Center for Internet Security’s Critical Security Controls and deploying multi-factor authentication and encryption protocols. Massachusetts law directs businesses to maintain a comprehensive information security program appropriate to “the need for security and confidentiality of both consumer and employee information.” Included in this comprehensive information security program is specific security requirements like firewall protection and virus software.
A violation of these state laws can be costly. In addition to the threat of private lawsuits, state attorneys general are wasting no time in initiating multi-state investigations, lawsuits, and settlements.
A prudent approach to cybersecurity starts from within. You’ve heard the phrase “take care of your own before you take care of others.” Well, by the same token a company should not even focus on outsider information until successfully prioritizing the security of employee information.
Have any questions about how best to protect your employee’s information? Contact me today.
 Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).
 Sackin v. Transperfect Global, Inc. 278 F. Supp. 3d 739, 748 (S.D.N.Y. 2017).
 Hapka v. CareCentrix, Inc., No. 16-2372-CM, 2016 U.S. Dist. LEXIS 175346, at *13 (D. Kan. Dec. 19, 2016).
 Cal. Civ. Code § 1798.81.5(b).
 Massachusetts 201 CMR 17.00 et seq.
 Massachusetts 201 CMR 17.04(6)-(7).