Ver la versión en español aquí.
Approaching Halloween, want to hear something Really Scary?
Late last year, the U.S. Court of Appeals, Third Circuit (Philadelphia) in Clemens v. ExecuPharm, Inc. (3rd Circuit Dec. 14, 2021), made clear that employers can be held liable for failing to properly protect their employees’ personal data. Why is this so scary? Well, in this case, an employee, Jennifer Clemens, was required to provide her employer, ExecuPharm, with her address, social security number, bank and financial account numbers, insurance and tax information, passport and information relating to her husband and child. (This is the type of information kept by most HR departments). ExecuPharm agreed in writing to take appropriate measures to protect the information. Clemens then left ExecuPharm.
At some point after her departure, ExecuPharm was hacked through a phishing attack. ExecuPharm’s information (including its employees’ information) was then held for ransom. Either ExecuPharm refused to pay the ransom or “for nefarious reasons unknown” the hackers released all the information on the Dark Web. The release of 123,000 files included the sensitive, personal information on Clemens and her former co-workers. ExecuPharm notified its current and former employees of the breach and provided them some after-the-fact support. Clemens took action herself, which included her spending a substantial amount of her time and some expenditures to protect her information and to protect herself from being the victim of fraud or identity theft.