In September 2017, Equifax announced that hackers had gained access to the confidential information of more than 145 million consumers, almost half of the U.S. population. The Equifax incident was a game changer due to the volume and sensitivity of the consumer information that was stolen, including names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.

Recent cases suggest that employers could be subject to liability when one of their employees causes a data breach by either knowingly or negligently revealing sensitive employee or customer data. In March 2016, for example, Sprouts Farmers Markets became the victim of a cyberattack when an employee in the payroll department responded to an email that appeared to come from a Sprouts senior executive requesting Forms W2 for all employees. The employee sent the forms, which contained employees' names, Social Security numbers, salaries, mailing addresses and other personal data. The affected employees brought lawsuits in multiple districts, which were consolidated and then stayed pending a decision in a U.S. Supreme Court case addressing whether individual arbitration agreements signed by each of the employees precluded a class action in In re Sprouts Farmers Market, Employee Data Security Breach Litigation, No. 2:16-MD-02731 (May 24, 2017).

Even more recently, in October 2017, the U.S. District Court for the Southern District of New York issued an opinion finding that employees had standing to bring a putative class action against their employer when a coworker's negligence led to a data breach exposing all of the employees' personal information to hackers in Sackin v. Transperfect Global, 17 Civ. 1469 (S.D.N.Y. Oct. 4, 2017). In that case, employees received a “phishing” email, which appeared to come from the company's chief executive officer, but actually was sent by unidentified hackers. The email asked for Forms W-2 and payroll information of all current and former employees. At least one employee sent the information to the cybercriminals in an unencrypted format. As a result, the hackers obtained employees' names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers and routing numbers.

The court denied the company's motion to dismiss for lack of standing, finding that the company's alleged providing of employee names, addresses, dates of birth, Social Security numbers and bank account information directly to cybercriminals created a risk of identity theft “sufficiently acute so as to fall comfortably into the category of 'certainly impending'” such that standing was warranted. The court also concluded that the complaint alleged an injury in fact in the form of identity theft prevention services that the employees were forced to purchase. Significantly, the court found that the plaintiffs stated a claim for negligence in that the company did not train employees on data security; did not erect digital firewalls; and did not maintain retention and destruction protocols for personally identifiable information.

Employees have not always been successful on the argument of whether they have standing to bring suit. In January 2017, for example, the Pennsylvania Superior Court upheld a decision of the lower court finding that the University of Pittsburgh Medical Center (UPMC) did not owe a duty to its employees to prevent employees' confidential information from being stolen by third parties in a data breach. Dittman v. UPMC, 154 A.2d 381 (Pa. Sup. Ct. 2017). The employees brought an action for negligence and breach of contract against UPMC after hackers accessed UPMC's computer systems and stole the names, birth dates, Social Security numbers, tax information, addresses, salaries and bank information of approximately 62,000 UPMC employees and former employees. The employees asserted that UPMC owed a legal duty to protect their personal and financial information and that UPMC failed to keep their information safe and prevent vulnerabilities in its computer system. The court disagreed, finding that there was no true way to prevent data breaches and that the possibility of data breach did not outweigh the social utility of electronically storing employee information. The case is currently on appeal to the Pennsylvania Supreme Court.

Likewise, in September 2017, the U.S. District Court for the District of Columbia dismissed consolidated class actions brought on behalf of public employees and applicants whose personal information, which was given to the employer in connection with background checks, was compromised by a data breach. See In re U.S. Office of Personnel Management Data Security Breach Litigation, 266 F. Supp. 3d (D.D.C. 2017). The court found that the plaintiffs lacked standing to bring suit.

While courts differ on whether victims of cyberattacks can seek relief from the companies whose negligence allowed the breach to happen, cybercriminals continue to dupe employees into revealing sensitive information about coworkers via phishing attacks. In March 2016, for example, Snapchat announced that someone posing as the company's chief executive officer obtained employee payroll data about 700 employees. More than seven other companies were tricked by similar phishing attacks that same year.

Congress is currently considering whether to adopt a national data breach notification law, in large part because Equifax failed to notify the public immediately after discovering the attack. Additionally, in the absence of federal action, state legislatures are starting to step in to put in place standards for cybersecurity programs to protect both consumers and employees. New York State, for example, enacted legislation, effective March 2017, to require banks, insurance companies and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers' private data.

Companies often are surprised to learn that their biggest security threats come from their own employees. These risks range from the use of weak passwords to clicking on corrupt internet links to theft of sensitive data. Many companies allow employees to use their personal electronic device. As a result there is risk of a cyberattack not only in the office, but on mobile devices accessed from employees' homes. Nonetheless, there are several things that employers can do to tighten controls on their data:

• Draft comprehensive cybersecurity policies, making it clear to all employees that they have obligations to safeguard sensitive data.
• Make sure that company policies address business use of personal devices, as well as personal use of business devices.
• Train employees on how even inadvertent actions can compromise company secrets.
• Ensure that company IT departments keep up with developing technologies.
• Consider how applications used by employees with wearable technologies, such as fitness and GPS apps, are able to capture information about employee business travel or sales routes.
• Establish procedures so that IT can identify any devices that are not configured properly, and single out those employees who are not following security protocols.
• Discipline employees for violating company policies and procedures on cybersecurity.
• Perform exit interviews that ensure employees are aware of their continuing obligations to keep secrets secret, even after the end of the employment relationship.

Tracey E. Diamond is of counsel at Pepper Hamilton, resident in the Philadelphia office, and a member of the firm's labor and employment practice group. Contact her at 215-981-4869 or [email protected].