Approaching Halloween, want to hear something Really Scary?
Late last year, the U.S. Court of Appeals, Third Circuit (Philadelphia) in Clemens v. ExecuPharm, Inc. (3rd Circuit Dec. 14, 2021), made clear that employers can be held liable for failing to properly protect their employees’ personal data. Why is this so scary? Well, in this case, an employee, Jennifer Clemens, was required to provide her employer, ExecuPharm, with her address, social security number, bank and financial account numbers, insurance and tax information, passport and information relating to her husband and child. (This is the type of information kept by most HR departments). ExecuPharm agreed in writing to take appropriate measures to protect the information. Clemens then left ExecuPharm.
At some point after her departure, ExecuPharm was hacked through a phishing attack. ExecuPharm’s information (including its employees’ information) was then held for ransom. Either ExecuPharm refused to pay the ransom or “for nefarious reasons unknown” the hackers released all the information on the Dark Web. The release of 123,000 files included the sensitive, personal information on Clemens and her former co-workers. ExecuPharm notified its current and former employees of the breach and provided them some after-the-fact support. Clemens took action herself, which included her spending a substantial amount of her time and some expenditures to protect her information and to protect herself from being the victim of fraud or identity theft.
Clemens then sued ExecuPharm on behalf of herself and former co-workers, for the company’s negligence, breach of contract, and breach of fiduciary duty. In a 23-page decision, the court noted that:
In an increasing digitalized world, an employer’s duty to protect its employees’ sensitive information has significantly broadened. Information security is no longer a matter of keeping a small universe of sensitive, hard-copy paperwork under lock and key. Now, employers maintain massive datasets on digital networks. In order to protect the data, they must implement appropriate security measures and ensure that those measures continue to comply with ever-changing industry standards.
The court made clear that failure to do so will cause employers to be responsible for any damages in the event of a data breach. So, not only did ExecuPharm have its systems hacked and have to expend resources to recover its information but also was required to address a federal lawsuit asserting claims by employees who were frightened that their identities might be stolen.
Cases like this highlight the encryption or bitlocker attacks commonly encountered by employers. In these attacks, employer data is encrypted or locked to deprive the employer from accessing its data. The attacks prevent employers from accessing their own data. Just as importantly, as ExecupPharm experienced, it may result in the theft and release of the data as well.
These attacks are a reminder to HR (not just IT) that cybersecurity is more important than ever. Good cybersecurity policies and procedures play a critical role in mitigating exposure to hacking and inadvertent dissemination of private information. Many of these efforts include educating employees on the risks and the need to be diligent in creating, storing and maintaining the company’s confidential information. For example, employees need to be aware of and should learn how to detect phishing scams which can lead to data breaches and significant intrusion into your network. With social media, hackers often have access to very personal information which they use to make their scams even more believable. Employers should restrict network access to deter hackers but also to limit the potential for breaches caused by insiders such as employees.
A strong cybersecurity plan should consider how to protect employee data held by employers (think about all the information an employer collects about an employee: social security number, driver’s license and/or passport number, birth date, home address, personal email address, telephone, and bank account information – a hacker’s dream).
At our upcoming labor and employment seminars, our partner Andy McLaughlin (with our partner Doug Kilby joining him at our Tallahassee seminar) will discuss the ways hackers attempt to gain access to your data as well as strategies for preventing these attacks.
Registration is now open for our 2022 Annual Labor & Employment Law Seminars!