As we’ve previously discussed, companies are often sued by their customers and business partners after a data breach. Another increasingly common source of data-breach litigation comes from within: companies’ own employees.
That’s because almost every business collects social security numbers, bank account information, and other sensitive personal information to administer the employment relationship. Cyber-criminals know this and choose their targets accordingly. And when their attacks succeed, affected employees are prone to sue.
Two especially common theories of liability in these cases are negligence and breach of contract. This two-part series of posts examines two recent federal court cases—one from New York and one from Pennsylvania—that show how courts deal with these types of claims.
A Phishing Attack Exploits Imperfect Data Security
In Sackin v. TransPerfect Global, Inc., a case from the United States District Court from the Southern District of New York, TransPerfect’s human resources department fell victim to a popular scheme known as “W-2 phishing.” In this scheme, criminals posing as a company executive send an email to unwitting personnel at the company and ask for copies of all employees’ W-2 tax forms.
A TransPerfect employee received and complied with one of these requests. The employee sent thousands of current and former employees’ W-2 forms and other payroll data to an unidentified attacker. As a result, the criminals obtained employees’ names, addresses, social security numbers, and banking information.
A group of employees sued TransPerfect after being notified of the breach. They alleged that the release of their information was caused by TransPerfect’s failure to properly train its employees on data security and to maintain appropriate security controls. Their complaint asserted a claim for common-law negligence. It also asserted, based on the employment relationship between the employees and TransPerfect, claims for breach of express and implied contract.
TransPerfect moved to dismiss those claims under Rule 12(b)(6). It argued that the employees’ negligence claim failed because TransPerfect had no common-law duty to protect their personal information against third-party criminals. TransPerfect also argued that the contract claims failed because employees hadn’t sufficiently alleged that TransPerfect had promised—explicitly or implicitly—to secure and protect their personal information.
A Common-Law Duty to Protect Employees’ Personal Data?
As to the negligence claim, the court first observed that under New York law, whether a defendant owes a duty to a plaintiff depends on a variety of factors:
- the relationship of the parties,
- which party is best positioned to avoid the harm,
- the public policy served by the presence of a duty, and
- the foreseeability of the harm if the duty is breached.
Those factors, the court concluded, supported imposing a common-law duty on employers to take reasonable precautions to protect employees’ personal information.
Employees, the court observed, cannot usually choose to withhold their information from an employer. They also have no means to protect that information in the employer’s hands, and they alone suffer the harmful consequences if the employer fails to protect it. Looking to public policy, the court also observed that the prospect of liability would provide employers with an economic incentive to protect employees’ information from the threat of cyberattacks.
Having determined that TransPerfect had a duty to protect its employees’ information, the court then concluded that employees had sufficiently alleged that TransPerfect was aware of and violated that duty. TransPerfect’s own website, the court observed, showed it recognized the risks of sending sensitive personal information by email. That website warned visitors to “never send” sensitive information by email because email is “generally not secure” and “vulnerable to hacking.” Despite that knowledge, the employees alleged, TransPerfect failed to prevent the emailing of their sensitive information to the criminals.
The court therefore denied TransPerfect’s motion to dismiss the negligence claim.
An Agreement to Secure Employees’ Personal Data?
As to the contract claims, the court first agreed with TransPerfect that the employees had failed to sufficiently allege an express contract that would bind TransPerfect to protect their personal information.
Simply alleging that their employment contracts “involved a mutual exchange of consideration” that included TransPerfect’s promise to provide employment and secure their personal information, without more, was not sufficient.
Nevertheless, the court found that the employees had plausibly alleged the existence and breach of an implied contract to that effect. The court observed that TransPerfect required employees to provide their personal information and was generally aware of the cybersecurity risks it faced. These factors, the court concluded, showed an implicit promise by TransPerfect to safeguard that information:
While TransPerfect may not have explicitly promised to protect [personal information] from hackers in Plaintiffs’ employment contracts, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.
The court therefore allowed the employees’ implied-contract claim to proceed.
Smooth Sailing for Employee Negligence and Contract Claims?
Sackin suggests that, because of the nature of the employment relationship, courts may be particularly inclined to find a duty on the part of employers to protect their employees’ personal information.
In that relationship, employees have little choice but to turn over their personal information. And so, the logic goes, employees can expect the employer to protect that information—especially when the allegations show that an employer is aware of the risks associated with collecting and storing it.
Given that reasoning, might companies still be able to defeat these types of claims?
Tomorrow’s post will examine a case in which a company did just that.