We all pretty much know the drill at this point. Organization announces data breach, sends out notices as required under state and/or federal law to those individuals that are affected, offers some kind of identity theft protection or credit monitoring service, awaits public criticism and backlash. The NLRB and the American Postal Workers Union (“AWPU”) apparently think that there should be an additional step when the data breach involves the personal information of employees who are covered by a collective bargaining agreement – bargaining over the effects of the data breach on, and the remedy to be provided to, the impacted employees.
The Regional Director for Region 5 of the NLRB in Baltimore, Maryland, filed a complaint against the Postal Service on March 31st alleging that the agency violated the NLRA by not bargaining with the union regarding certain information it requested when it was first notified of the data breach. Although the complaint made available to the press by the AWPU did not include the list of information it requested from the Postal Service, it presumably includes requests for information about the breach itself, whose information and what information was compromised, and the timeline between the breach and the notification. (The NLRB website does not yet include a copy of the complaint.) In addition, the complaint alleges that the Postal Service offered impacted employees one year of free credit monitoring and fraud insurance without first bargaining with the union about these benefits.
I understand and am not surprised that the union has taken this position since bargaining could lead to additional benefits for employees that are impacted by their employer’s data breach incident and I won’t be surprised if the NLRB ultimately agrees. The union’s position also, however, likely will lead to delays in getting their members the types of remedial measures they are going to want and need while the bargaining process is ongoing. Perhaps the unions’ time would be best spent working with their employer to make sure that their members’ personal information is adequately protected in the first place. They should probably also keep in mind that unions can be victimized by data breaches as well as employers.