September 7, 2023
Court Says Employers Responsible for Employee Identity Theft — Regardless of Monetary Damages
Employers go to great lengths to protect their data from breaches from intruders. But what about any employee data that may exist on company servers? Now employers are responsible for the security of that data as well.
In a recent federal case, Clemens v. ExecuPharm Inc., 48 F.4th 146, 157–58 (3d Cir. 2022), the Third Circuit Court of Appeals held that an employee had standing to bring negligence and breach of contract claims against her employer after her personal information was published on the dark web due to a data breach, according to a post by the law firm Porzio, Brombert and Newman. “The employer, a global pharmaceutical subsidiary known as ExecuPharm, required the plaintiff to provide sensitive personal and financial information, including information regarding her financial accounts and her social security number, and promised to take ‘appropriate measures” to protect this information after it was stored on its servers.’”
After the employee’s job ended, a group of hackers accessed the plaintiff’s personal information and posted it to websites on the dark web. ExecuPharm notified its current and former employees of the breach and advised them to take action. The plaintiff did so, and her personal information was never used in an unauthorized way. However, despite suffering no monetary damages, the plaintiff sued for negligence and breach of contract. Though the case was dismissed in the Federal District Court, the plaintiff won her case on appeal. The court said that the “disclosure of private information” alone constituted a cognizable harm, along with emotional and other distress:
“In an increasingly digitalized world, an employer’s duty to protect its employees’ sensitive information has significantly broadened. Information security is no longer a matter of keeping a small universe of sensitive, hard-copy paperwork under lock and key. Now, employers maintain massive datasets on digital networks. In order to protect the data, they must implement appropriate security measures and ensure that those measures continue to comply with ever-changing industry standards.”
According to the law firm’s post, “The Court’s holding presents a clear warning to employers, who may be liable to their employees for security and data breaches even if the employees suffer no actual financial harm. The decision creates a new layer of complexity for employers dealing with cybersecurity threats, who now face potential liability to their current and former employees in addition to the other numerous negative consequences that may flow from a data breach.
“Going forward, employers must ensure that they maintain appropriate and up-to-date security measures to provide strong and broad protection for the sensitive information stored on their servers and understand that a data breach may expose them to employee lawsuits.”