An important new decision from a federal appeals court says a former employee can proceed with claims against her old employer based on a data breach – even though the breach did not lead to identity theft or fraud against her.
“In an increasingly digitized world,” the court advised, “an employer’s duty to protect its employees’ sensitive information has significantly broadened.”
That admonition may understandably strike fear in the hearts of employers that have been less than diligent about safeguarding private employee information. It reflects a stark reality: It’s more important than ever to have robust safeguards in place to protect the confidentiality of personal information employers collect from their employees.
This case involves Jennifer Clemens, who used to work for ExecuPharm, Inc. ExecuPharm is a subsidiary of a global pharmaceutical company called Parexel International.
As a condition of employment ExecuPharm required Clemens to provide it with a variety of highly sensitive and personal information. This information included her Social Security number, bank and financial account numbers, insurance and tax information, and her passport.
In return, Clemens’ employment agreement said the company would “take appropriate measures to protect the confidentiality and security” of the information she gave it.
After Clemens left the company, a hacking group used a phishing attack to steal sensitive information relating to a number of its current and former employees – and Clemens was one of them.
The hacking group held the information for ransom before posting it to the Dark Web, making it available to others.
ExecuPharm provided periodic updates to affected individuals, and it also provided a year of credit-monitoring services.
No identity theft, but …
In addition, Clemens took other steps. She placed fraud alerts on her credit reports, and she transferred her money to a new bank. She also paid for additional credit-monitoring services for herself and her family. She also says the ordeal caused her to suffer emotional distress and incur related costs for therapy.
She sued ExecuPharm and Parexel, asserting negligence and breach of contract against them.
A lower court ruled against her, granting a defense motion to dismiss the suit. It said the suit could not go on because Clemens only alleged an increased risk of identity theft, which was not enough. Her risk of future harm was speculative, the lower court said, because she had not experienced actual identity theft or fraud. In legal terms, it explained, she did not have “standing” to proceed with the suit.
On appeal, the U.S. Court of Appeals for the Third Circuit (Delaware, New Jersey and Pennsylvania) disagreed and revived the suit.
To show “standing,” the appeals court explained, Clemens had to demonstrate that she suffered a concrete injury that was actual or imminent. She further had to show the employer caused the injury and that the requested relief would set things right.
No harm no foul? No way
Allegations of future injury are good enough, the court explained, if there is a substantial risk that the harm will occur. That is the case here, the court said. It said Clemens presently faces a substantial risk of identity theft or fraud because her personal information is on the Dark Web.
In addition, the harm Clemens alleges is sufficiently concrete, the court added. Her costs associated with mitigation efforts and therapy are concrete, it noted.
In addition, Clemens alleged facts showing her injury is traceable to the employer’s conduct, the reviewing court added. And her alleged injury can be made right by the court via a monetary award.
In essence, the court decided that Clemens – and others like her – cannot be forced to wait until they actually experience identity theft before they sue for a data breach. It is enough to show a substantial risk of further harm, it decided.
The case was sent back to the lower court for further proceedings.
The decision gives employees in similar cases potent ammunition to support the argument that in data breach cases, they should be able to recover damages even if the breach does not lead to identity theft. Essentially, it says that the problems caused by a significant breach alone are enough to support a claim for damages.
It is not the only federal appeals court ruling to reach a similar conclusion on this issue. At least one other federal appeals court has ruled that a substantial risk of future identity theft is sufficient to file suit.
Employers have not only legal but also reputational incentive to carefully safeguard the privacy of personal information collected from employees.
Questions to ask
Here are some questions to ask and answer with regard to the collection and maintenance of confidential employee information.
- Do we really need this information? Before collecting personal information from employees, carefully evaluate whether it is truly needed and how it will be used. In this case, the former employee alleges that the employer required her to provide a significant amount of varied and highly personal information, including even information relating to her child and husband.
- Have we properly trained employees relating to securing the personal data of collected information? In this day and age, cybersecurity threats are as real as ever. Proper training of all relevant employees is imperative. Some basics: Require strong passwords; instruct employees not to open email attachments from suspicious sources; and regularly back up all data
- Are adequate security measures in place? These include, for example, firewalls, secure passwords and encryption.
- Do we have a response plan ready to go? If the worst happens and a breach occurs, you need to act quickly to minimize the harm. It is not time to formulate a response from scratch. Instead, it is time to put a previously designed plan into action. This plan must include providing timely notice to all affected individuals.
- Do our written policies reflect a commitment to safeguard confidential information? A published confidentiality policy makes employees aware of your commitment to safeguard their private information and outlines the scope of your duties in this regard.
Clemens v ExecuPharm, Inc., No. 21-1506 (3d Cir. 9/2/22).