The National Labor Relations Board has recently inserted itself into the world of cybersecurity after the United States Postal Service suffered a security breach involving the personal data of several hundred thousand of its employees. CNN reported that about 750,000 employees were affected; the FBI is investigating.
This is an interesting development for municipal entities and others who employ Union workers because it is the first time the NLRB has ventured into the cybersecurity area. In an effort to remediate the problem, the USPS offered the affected employees one year of free credit-monitoring. But the NLRB characterized this offer as a unilateral change to wages, hours, and working conditions and took the position that the postal service could not make this offer without engaging in the collective bargaining process first. The NLRB complaint can be found here.
If this complaint grows legs, it will only add to the already long list of things an employer must deal with when trying to mitigate the damage of a cybersecurity breach. Now, in addition to the immediacy of the problem at hand, it must also negotiate with the Union representatives over any perceived change in their working conditions.
Companies who suffer cybersecurity breaches must respond quickly and effectively to alert the appropriate governmental authorities, the affected individuals, and the general public. A rapid response is required because of various state breach notification laws that require breach alerts to be sent promptly. Thus, a natural conflict arises between the expediency required and the NLRB’s demands that the employer talk to Union members before a resolution can be effectuated.