A company faced with a security breach has a lengthy “to do” list, things to accomplish with respect to its incident response plan. It must, among other things, determine the root cause of the vulnerability or breach, investigate and eliminate the vulnerability or breach, determine the full nature and extent of the breach, determine who to notify and finalize the notifications.
If the American Postal Workers Union (APWU) has its way, a unionized employer facing a security breach involving employee personal information would have yet another responsibility – bargaining over the impact of or response to the security breach.
The asserting that the United States Postal Service sent notice of the breach to employees on November 10, 2014, and offered the employees free credit monitoring for 1 year, but “did not give the Union advance notice that would enable it to negotiate over the impact and effects of the data breach on employees.” The Union’s complaint further states that by providing free credit monitoring, the USPS made a unilateral change in wages, hours and working conditions. Under the various state database security notification laws and the HiTech provisions of HIPAA, employers that encounter a breach of personal information regarding employees, must, absent certain exceptions, notify the affected employees (or for a HIPAA breach, plan participants), as well as potentially notify regulators and others.
There is no legal requirement in the United States that companies must consult with their employees regarding the investigation and/or impact of a security breach involving employee data. In fact, it is important that information concerning potential security incidents be maintained confidential so that the investigation is not compromised. Therefore, the APWU is taking a novel, unprecedented stance in claiming that the USPS had an obligation to be at the table and bargain over what actions USPS would take with respect to investigating and/or remediating a breach.
Although it will be several months (at the earliest) before the NLRB issues any type of ruling or guidance on this matter, employers should consider this type of communication should a data breach occur. In other words, while not legally required, it is certainly important and prudent for a company to consider all stakeholders in determining how to respond to a security breach. The goodwill of a company, and its relationships with employees and customers are extremely valuable.
Since the wrong internal or external communications concerning a breach can have a significant impact on how actual and potential customers and employees, as well as shareholders, perceive the company we recommend that every incident response plan include a company’s public relations and communications experts in order to make sure that the proper groups are properly informed as to the status of a security incident and the measures a company is taking to protect affected individuals.