Welcome
Bloomberg Law Analysis

ANALYSIS: Employee Data Risk Gets Too Big to Ignore

Nov. 4, 2019, 12:07 PM

Despite countless high-profile data breaches, some employers still aren’t doing enough to protect their employees’ data. That’s set to change in 2020. The California Consumer Privacy Act and other state laws will bring more aggressive protection for employee information, forcing employers to take a hard look at the employee data they collect and how they protect it.

States are driving this transformation through two types of laws: those that hold businesses accountable for data breaches and those that give individuals the right to request and control their own data. Although not typically specific to the employment context, these laws can be particularly risky for employers because organizations tend to collect and maintain more data on their employees than on their customers—and because employees are in a better position than customers to know exactly what data their organizations are collecting.

Duty to Protect Employee Data

States are starting to place affirmative duties on employers to protect employee data. This approach represents a shift from more traditional state data breach laws that simply require businesses to notify victims of a data breach.

In 2020, the California Consumer Privacy Act will become the first state law to impose statutory damages for data breaches. Under the CCPA, employers that suffer a breach attributable to their failure to implement and maintain “reasonable security” procedures can be liable for damages of up to $750 per employee per incident. Although the scope of the CCPA is centered on its home state, it does open the door to class action lawsuits for data breaches, with the potential for classes to expand beyond California.

Another notable law, New York’s SHIELD Act, requires employers to implement administrative, technical, and physical safeguards to protect employee data. The law, which became effective in October 2019, gives employers until March 21, 2020, to implement cybersecurity programs.

Finally, a Pennsylvania Supreme Court case, Dittman v. UPMC, could serve as a roadmap for plaintiffs in other states. In Dittman, the court held that employers have a legal duty to “exercise reasonable care to safeguard” employee personal data stored on an internet-accessible computer system. Further, the court found that the plaintiffs could recover damages under the state’s economic loss doctrine.

With data breach frustration growing, it’s likely that more plaintiffs will look to precedent like this for remedies.

Duty to Provide Employee Data

The CCPA brings a new risk for U.S. employers: the risk that employees could get the right to request and control the personal information that their employers collect about them.

This idea might not sound onerous. Many states have laws that require employers to provide certain records or payroll information to employees. But the CCPA also creates other rights—such as the right to request deletion of their personal information and the right to opt out of the sharing of their personal information with third parties. “Personal information” in the CCPA context doesn’t just mean payroll records. It includes nearly all personal data, such as records of swiping security badges, logging on to computers, and being captured by security cameras.

Like the right to disclosure, the rights to delete and opt out won’t kick in for employees until 2021. AB 25 amended the CCPA to delay the application of those and other provisions for personal information collected in the employment context. However, AB 25 does not affect employers’ duty to inform employees what information they are collecting about them and why, nor does it prevent employees from exercising their right to sue for data breaches.

Employers to Make Changes

In preparation for these developments, employers should assess their data collection, storage, and security practices. Placing limitations on what’s being collected, how it’s being shared, and who has access to it should be a priority in 2020, and an independent assessment of security controls will go a long way to satisfy the “reasonable security” standard. Moreover, given the risks and potential liabilities, employers should not view an employee data privacy assessment as a one-time task. Rather, employers should regularly review and reassess their practices as laws and privacy issues continue to evolve.

Read about other trends our analysts are following as part of our Bloomberg Law 2020 series.

—With assistance from Mark Smith.