Company data breaches are becoming far too common. Today, my colleague Jarad Lucan talks about the steps company’s need to take, both pre and post-breach. If your company has a unionized workforce, you may need to adhere to additional duties.
As we have reported in the past (the very recent past), it seems like there is a new headline regarding a company data breach almost daily (at the very least, weekly). For instance, this week Coca-Cola Co. was hit with a putative class action in federal court contending that it failed to properly protect employee information contained on 55 laptops that were stolen between 2007 and 2013. According to the complaint, the information contained on these laptops included personal identifying, motor vehicle, and financial information about employees that was subsequently used by the thieves to make fraudulent purchases, among other things. The complaint also alleges that Coca-Cola failed to notify effected employees promptly of the data breach. In the past, we have also identified four things a company can do before an employee data breach occurs including, establishing an implementing a written data breach response policy, conducting a review of systems and data to understand where confidential information resides, conducting regular risk assessments for the company, vendors and business partners, and establishing frequent privacy and security awareness trainings.
In addition to pre-breach steps a company should take, there are numerous post-breach steps that a company in Connecticut must take (if you have employees out-of-state, check those state requirements), including notifying employees and the Attorney General’s office of the breach, if the breach involved employees’ financial or motor vehicle information and/or social security numbers. Employers with unionized workforces may also have an additional requirement; bargaining over the impact of such a breach.
You may have heard that hackers recently broke into some of the Postal Services computer systems and may have stolen sensitive date on more than 800,000 postal employees. What you may not have heard is that the American Postal Workers Union has filed a charge with the National Labor Relations Board accusing the Postal Services of keeping the union in the dark about that breach. According to the charge, “[t]he Postal Service did not give the Union advanced notice [prior to the official November 10th announcement] that would enable it to negotiate over the impacts and effects of the data breach on employees.” Essentially, the union is claiming that it should have been kept in the loop regarding the breach as soon as the Postal Service knew about it, and that the Postal Services should have sat down with the union to discuss, among other things, the Postal Services’ response to the breach to the extent that response effected the unionized workforce. In fact, it appears that the union also takes issue with the Postal Services’ offer to provide free monitoring services to the effected employees; a common position taken by a company after a data breach. Indeed, the charge goes on to allege that “the Postal Service unilaterally changed wages, hours and working conditions by, among other things, providing free monitoring services to employees.” As a remedy, the union is seeking injunctive relief in this case.
It is too early to determine how the NLRB will respond to this charge. The NLRB may dismiss it, or it may decide that it is has enough teeth to issue a formal complaint. Whatever the NLRB does, given the prevalence of data breaches effecting companies, this is an issue to keep track of if you employ a unionized workforce. We will certainly update you on any developments.