Cybersecurity – EB/ERISA

Recent Decisions Shine Light on Employer Liability for Data Breaches of Employee Personal Information

on April 20, 2017
Comments Off on Recent Decisions Shine Light on Employer Liability for Data Breaches of Employee Personal Information

Lock_croppedAn employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach? Two Pennsylvania courts have recently shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. See Enslin v. Coca-Cola Co. (E.D. Pa. Mar. 31, 2017); Dittman v. UPMC (Pa. Sup. Ct. Jan. 12, 2017), reargument denied Mar. 20, 2017.

While these cases resulted in pro-employer outcomes, and will be helpful in similar future litigation, they should not give employers the idea that they can be lax in their data privacy and security practices involving employee PII. Employers should consider these additional points regarding these cases and having data privacy and security practices that can meet the threats posed by today’s disloyal employees and hackers:

  1. Enslin and Dittman were decided under Pennsylvania law and are not binding on courts in the other 49 states. Case law in this area is still in its infancy and courts are deciding these issues differently. For example, see Hapka v. Carecentrix, Inc. (D. Kan. Dec. 19, 2016), in which the court concluded that a similar employee data breach case could go forward against the employer, at least past the initial pleading stage. Ensuring that you have good privacy and security practices not only lessens the risk of a data breach, but also serves as helpful evidence should a court allow a lawsuit to go forward against you in the event of a breach.
  2. A court’s determination of your duties to your employees will likely be influenced by whether you were aware of previous threats to the security of the PII stored in your computer networks. An employer that knows about deficiencies and fails to address them might be held liable if PII is later stolen in a data breach.
  3. The Dittman court observed that “[t]here are still statutes and safeguards in place to prevent employers from disclosing confidential information.” That may be overstating the law a bit, but in the two cases, the employers provided notices to their employees because Pennsylvania law required those notices, and those notices led to what we have to assume has been time consuming and expensive litigation. Employers must comply with other statutory and regulatory laws governing their data privacy and security practices, including the Health Insurance Portability and Accountability Act (“HIPAA”), Federal Trade Commission regulation, and other federal and state requirements. Also, employers have a financial and reputational incentive to protect against data breaches. Even if you may have no civil liability to your employees in the wake of a breach, having a robust data privacy and security program is still a legal requirement that makes good business sense.
William Berglund
Bill Berglund achieves diverse solutions to complex legal problems for pharmaceutical, medical device, and other product manufacturers in federal and state court litigation nationwide. Bill also represents and counsels hospitals, individual health care providers, and other regulated businesses with respect to medical privacy and data security issues and federal and state law compliance.

About William Berglund

Bill Berglund achieves diverse solutions to complex legal problems for pharmaceutical, medical device, and other product manufacturers in federal and state court litigation nationwide. Bill also represents and counsels hospitals, individual health care providers, and other regulated businesses with respect to medical privacy and data security issues and federal and state law compliance.
  • Recent Decisions Shine Light on Employer Liability for Data Breaches of Employee Personal Information

    An employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach? Two Pennsylvania courts have recently shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. William BerglundBill Berglund achieves diverse solutions to complex legal problems for pharmaceutical, medical device, and other product manufacturers in federal and state court litigation nationwide. Bill also represents and counsels hospitals, individual health care providers, and other regulated businesses with respect to medical privacy and data security issues and federal and state law compliance. Read more

    HIPAA Phase 2 Audits Are Here. Are You Ready?

    Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. These audits seek to enhance industry awareness of HIPAA compliance obligations and the information obtained will be used to develop OCR’s permanent audit program. All Covered Entities and Business Associates are eligible to be audited. Joe DickinsonJoseph Dickinson is a litigator and counselor with more than 25 years of business and legal experience representing and advising corporations and senior leadership nationally and internationally. Joe has broad experience in the areas of data privacy and security, data breach litigation, intellectual property litigation, and technology licensing.William BerglundBill Berglund achieves diverse solutions to complex legal problems for pharmaceutical, medical device, and other product manufacturers in federal and state court litigation nationwide. Bill also represents and counsels hospitals, individual health care providers, and other regulated businesses with respect to medical privacy and data security issues and federal and state law compliance. Read more

    Yahoo’s data breach costs general counsel his job

    Well this is unsettling – the person responsible for the massive data breaches at Yahoo was its general counsel? CorporateCounsel speculates about what this means for in-house counsel: are their jobs at risk over cybersecurity? And I wonder – what if a company does not have in-house counsel, or has turnover in IT? Who else will be held accountable for data breaches? Various privacy laws are potentially applicable to businesses, employers and sponsors of employee benefit plans, not the least of which is the Health Insurance Portability and Accountability Act (HIPAA). While the specifics of the laws vary, certain basic principles apply across the board. One key principle is that security incidents do not arrive packaged with a pretty bow, and a notice stating “hundreds of millions of your user accounts were just affected.” Incidents can appear innocuous or minor until fully investigated, and it may be challenging to draw distinctions between business decisions and legal decisions. The committee that reviewed the Yahoo matters concluded that the relevant legal staff had sufficient information to warrant substantial further inquiry, but failed to do so. Subsequently, general counsel resigned. Anyone who could possibly be held accountable for the handling of data breaches should be asking tough questions about data security practices and procedures, including the incident response plan. Don’t know what an incident response plan is, and who is responsible for it? It’s time to find out.  It costs a lot less to work with your privacy and data security attorneys to establish good practices and procedures than it does to deal with the aftermath of a hack and insufficient investigation, and your job may depend on it. Ann CaresaniAnn Caresani focuses her practice on employee benefits, ERISA, ESOPs, and executive compensation. She counsels employers on the design, administration, and termination of their employee benefit programs, including tax-qualified retirement plans, health and welfare plans, and executive compensation arrangements. Read more

    ERISA Express Preemption Superpower Beats Iowa Pharmacy Benefits Manager Law

    Last year, the U.S. Supreme Court gave ERISA’s express preemption provision back its superpower, in Gobeille v. Liberty Mutual Insurance Company. This year, in Pharmaceutical Care Management Association v. Gerhart, the Eighth Circuit applied Gobeille to reverse the dismissal of the claims of the pharmacy benefits manager (“PBM”) association. Ruling in the association’s favor, the Court held that ERISA expressly preempts an Iowa law that imposes substantial regulations on PBMs operating in Iowa. Ann CaresaniAnn Caresani focuses her practice on employee benefits, ERISA, ESOPs, and executive compensation. She counsels employers on the design, administration, and termination of their employee benefit programs, including tax-qualified retirement plans, health and welfare plans, and executive compensation arrangements. Read more

    Department of Labor’s New Overtime Rule Blocked, For Now

    Late yesterday, a federal judge in Texas issued a nationwide injunction and blocked the U.S. Department of Labor’s (DOL) new federal overtime rule from taking effect on December 1. The new rule would have raised the minimum salary for most exempt employees from $23,660 to $47,476. The court granted a preliminary injunction requested by 21 states that claim the DOL exceeded its rulemaking authority by dramatically raising the salary threshold to more than double its prior level and by adding a provision that would allow for automatic adjustments to the salary threshold every three years. The preliminary injunction issued by the court is temporary and preserves the status quo under the existing overtime regulations until the court either makes a final decision regarding the DOL’s authority to implement the final rule or dissolves or modifies the injunction. For now, the minimum salary remains at $23,660. In a statement, the DOL defended the new regulations, stating that it was “considering all of our legal options” to respond to the setback. Christine SnyderChristine Snyder defends employers in litigation matters including wage and hour class actions and discrimination, harassment, retaliation, FMLA, wrongful discharge, and ERISA disputes. Read more