According to the federal court in the Southern District of New York, the answer is a resounding yes. In a putative class action filed on behalf of Transperfect employees whose personal information was disclosed as a result of a cyberattack, the court directly addressed the question of whether Transperfect owed its employees a duty to protect their personal information. Sackin v. Transperfect Glob. Inc., No. 17 Civ. 1469, 2017 U.S. Dist. LEXIS 164933 (S.D.N.Y. Oct. 4, 2017). The court found that such a duty existed under both common law and New York statutory law. Finding a common law duty, the court held that employers have a duty to take reasonable precautions to protect the information that they require from employees. The court reasoned that the employer is in the best position to avoid the harm to employees, and that potential liability to employers provides an economic incentive to act reasonably in protecting employee data from the threat of cyberattack.
Keeping Information Safe
The court also relied on a New York statute, which makes it illegal for an employer to communicate an employee's personal information to the public, to create a statutory duty sufficient to state a claim for negligence per se. Further, the court held that Transperfect's requiring and obtaining sensitive personal information as part of the employment relationship gave rise to an implicit contract to act reasonably to keep its employees' information safe.
Other courts have come to differing conclusions, however. For example, in Dittman v. Univ. of Pittsburgh Med. Ctr., 154 A.3d 318 (Pa. Super. Ct. 2017), the trial court held that the University owed no legal duty to protect its employees' information. The Superior Court of Pennsylvania affirmed the decision. In that case, hackers had obtained the names, Social Security numbers, tax information, salaries, bank information, and other personal information of approximately 62,000 employees and former employees. The hackers used the information to file fraudulent tax returns and steal the tax refunds of some employees.
The Duty of Reasonable Care
The Dittman court rejected the employees' argument that an employer owes its employees a duty of reasonable care in its collection and storage of the employees' information and data. The court found that no judicially created duty of care is needed to incentivize companies to protect employees' information, because there are statutes and other safeguards in place to prevent employers from disclosing such information. Further, the court rejected the employees' argument that the employer agreed to enter into an implied contract to protect the employees' personal information. Another federal court decision, Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, 2017 U.S. Dist. LEXIS 49920 (E.D. Pa. Mar. 31, 2017), reached the same conclusion based on Dittman. Notably, on September 12, 2017, the Supreme Court of Pennsylvania granted review of Dittman. No. 149 WAL 2017, 2017 Pa. LEXIS 2132 (Pa. 2017).
Protecting Employee Data
Though the law in this area is still developing and may vary depending on the jurisdiction, employers should take reasonable steps to protect their employees' data. Employers can be certain that regardless of whether a particular court recognizes a common law duty to protect employees' personal information, as even the court in Dittman recognized, the financial and reputational costs alone should be high enough to motivate companies to protect such information.