What is Employer Liability?
Employer liability is the legal responsibility of an organization to adhere to laws and regulations. Employer liability has typically applied to issues like wages, payroll taxes, harassment and discrimination.
For example, employees may sue their employer if the organization fosters an unsafe or hostile work environment. The company would have to pay damages if the court rules in favor of the employees.
What is Employer Liability For Cybersecurity?
When it comes to cybersecurity, employer liability obligates an organization to protect the Personally Identifiable Information (PII) of employees. What PII is, exactly, varies from one jurisdiction to another. It is generally helpful to think of employee PII as data the HR and accounting teams manage.
Common types of employee PII include:
- Social Security Numbers (SSNs)
- Driver’s licenses
- Passports
- Taxpayer Identification Numbers (TINs)
- Home addresses
- Personal financial information (like salary or equity), bank accounts and credit/debit cards
- Medical records
- Email addresses and phone numbers
Growing arena of employer liability
Much of what qualifies as employee PII is the same as customer PII. Until recently, many of the lawsuits brought against organizations after a data breach centered on the disclosure of customer data.
However, class-action lawsuits alleging employers were negligent, breached a contract or engaged in unfair business practices with their employees are gaining favor among courts, putting employers on the hook. Since the Pennsylvania Supreme Court ruled in November 2018 that employers have a common law duty to protect employee PII, courts at the federal, state and local levels have followed suit.
Importantly, employers are liable when there is a breach of employee data — not third-party providers.
In a lawsuit brought by a former employee of a biopharmaceutical company, the United States Court of Appeals for the Third Circuit found a data breach only had to pose potential harm for an employer to be found liable. When the biopharma company’s payroll software leaked data in a breach, the employer was liable for the publication of employee data on the dark web, not the software company.
Privacy of employee data
Standard-bearing data privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), also have provisions requiring employers to protect the privacy of employee data as stringently as customer data.
Under GDPR, organizations must gain voluntary and clear consent to collect, store and use employee data. They must outline how HR data will be used, for instance.
What Does Employer Liability Look Like After a Cyber attack?
CommonSpirit Health, one of the largest healthcare systems in the United States, suffered a ransomware attack in October 2022 impacting more than 623,000 individuals. The hospital chain shut down the affected system to stave off further damage to its IT environment, including its electronic timekeeping and payroll system. The company lost $150 million in revenue from the disruption.
After the company eventually restored service to its systems, nurses at some of the company’s sites in Oregon reported being underpaid in the pay periods following the attack. In an ongoing suit, the union representing employees at some of the chain’s sites in Oregon is seeking $1.5 million in damages for over 600 employees related to unpaid wages, late payment penalties and other damages.
While this suit seeks redress of unpaid wages, other employee suits have sought damages related to the heightened risk or occurrence of identity theft against employees whose data was breached in an attack.
Notable recent suits that have alleged employer liability after a cyber attack include:
- Five Guys — disclosure of job applicants’ Social Security numbers and driver’s licenses
- San Francisco 49ers — theft of employee names, birthdates and Social Security numbers
- Macmillan — ransomware attack resulted in the publishing of employee data on the dark web and identity theft
Leave a Reply