Seyfarth Synopsis: Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.

A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.

The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.”

The CDPA takes a very broad view of personal information, defining the term to include:

  • An individual’s signature,
  • A person’s physical characteristics or description,
  • Information collected through an automated license plate recognition system, and
  • An individual’s employment and employment history.

The CDPA also requires that if a company experiences a data breach and decides to offer “identity theft prevention and mitigation services” to affected persons, then it must provide these services to affected persons for at least 12 months and at no cost. Additionally, unlike many other state laws about data breaches, the CDPA requires a company affected by a data breach to submit a sample of the data breach notification letter to the California Attorney General.

“Vultures” Go Phishing At Sprouts

What’s Phishing? In a phishing scam, a fraudulent email message appears to be legitimate, and often directs one to a spoofed website in order to dupe the recipient into divulging private personal information. The perpetrators then use this information to commit identity theft.

In March 2016, a Sprouts employee received an email purportedly from a Sprouts senior executive, asking for the 2015 W-2 statements of all Sprouts employees (which contain social security numbers). In reality, the email was sent by a third-party and was a phishing scam.

When the Sprouts employee received the phishing email, the W-2 forms of thousands of current and former employees were compiled and sent to the third-party. Sprouts later realized the error and notified the affected individuals of the data breach.

Shortly afterwards, a former Sprouts employee filed a class action lawsuit against the company, alleging violations of the CDPA and the California Unfair Competition law. The suit alleges essentially that the employer should have had procedures and policies in place to protect employee information from a phishing attack because such attacks are commonplace in the information age. A First Amended Complaint was filed on May 25, 2016, and Sprouts has not yet filed its response.

Sprouts highlights that it is important for California employers to have a data protection and data breach notification plan. Such a plan is instrumental to head off attacks by hackers and bad actors seeking private employee data to commit identity theft.

“Anything But Me”—What’s An Employer To Do?

The California Attorney General has issued annual reports analyzing data breach notices and providing recommendations to companies and employers for implementing data breach plans, including recommending that companies and employers:

  • Implement the Center for Internet Security’s Critical Security Controls as the “minimum level of information security” if they handle personal data.
    • The Attorney General has stated that“[t]he failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
  • Implement “strong encryption” for personal information on laptops and other portable devices, and consider full encryption on desktop computers when not in use.
  • Encrypt digital personal information when moving or sending personal information out of their secure network.
  • Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices.
  • Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Provide training to employees and contractors on data security controls.
  • Improve the readability of breach notification letters.