Liability for Data Breach Involving Employee Information: Even the Federal Government and Third Party Vendors Are Not Immune

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/liability-for-data-breach-involving-39961/

In what is quickly becoming the newest trending topic in class action
litigation, another class action has been filed alleging the disclosure of
employee personally identifiable information due to a cyber attack.

This time, the employer is the federal government, and another target in
the lawsuit is the third party vendor allegedly used by the federal
government to conduct its background checks during the time of the breach.

On June 29, 2015, the American Federation of Government Employees filed
suit against the U.S. Office of Personnel Management, as well as its
Director and Chief Information Officer (the “OPM Defendants”) and KeyPoint
Government Solutions (“KeyPoint”), on behalf of two named plaintiffs and a
putative class of 18 million current and former employees and prospective
employees (the “Plaintiffs”) of the federal government whose personally
identifiable information was put at risk by a massive data breach suffered
by OPM, which was made public early last month (AFGE, et al. v. OPM, et
al., Case 1:15-cv-01015, D.D.C., June 29, 2015).

Although the claims asserted in the case are somewhat different than those
we have seen in cases filed against private employers, the types of
injuries for which the employees are seeking redress are not. In their
Complaint, Plaintiffs are seeking to recover damages for the following
alleged injuries that they claim to have already suffered or from which
they are “at increased risk of suffering”:

– “out-of-pocket costs associated with the prevention, detection, and
recover from identity theft or unauthorized use of financial and medical
accounts,” such as putting in place credit monitoring and obtaining credit
reports;

– “lost opportunity costs” associated with putting preventative measures in
place, including time spent “researching how to prevent, detect, contest
and recover from identity and health care/medical data misuse.”

– costs associated with the unavailability of frozen or flagged credit or
assets and complete denial of credit or use of credit;

– freezing and unfreezing of credit and penalties resulting from the
unavailability of frozen credit;

– diminution in the value and/or use of their personally identifiable
information; and

– the continued risk to their personally identifiable information and
future costs that will be expended to “prevent, detect, contest and repair
the impact” of their compromised information.

It is unclear at this time what injuries the Court will deem sufficiently
non-speculative to confer standing on Plaintiffs or establish a viable
cause of action.

Plaintiffs are asserting claims against the OPM defendants for violations
of the Privacy Act and the Administrative Procedure Act. However,
Plaintiffs are also suing KeyPoint, which according to the Complaint, is
the OPM contractor that handled the majority of the background checks for
OPM at the time of the cyber attack. As is commonplace in suits of this
nature, Plaintiffs assert a garden variety negligence claim against
KeyPoint. The thrust of the negligence claim, as stated in the Complaint,
is that KeyPoint owed Plaintiffs a duty of care and did not take reasonable
steps to maintain and protect their personally identifiable information,
especially in light of the fact that the “OPM employee data was an
attractive target for cyber attackers” and KeyPoint’s cyber security
systems had sustained a prior breach in late 2014.

Although the Plaintiffs in the OPM litigation do not advance a separate
claim based on delayed notification of the data breach — despite the fact
that Plaintiffs claim OPM delayed months in disclosing the data breach to
those affected — many states have laws that require certain notifications
to take place within a specific timeframe in the event of a data breach.
Accordingly, employers need to make sure they are aware of such laws in the
states in which their employees work and are prepared to comply with them
in the event of a breach. Moreover, every company should have an
information security policy in place that states what actions the employer
will take in the event of a data breach. A number of the state data breach
notification laws provide a safe-harbor for employers who comply with the
notification procedure in their own information security policies in
response to a breach.

It remains to be seen if the defendants in the OPM litigation will move to
dismiss all or some of Plaintiffs’ claims and whether or not they will be
successful if they do. However, the filing of this complaint serves as yet
another cautionary tale about the many ways in which employees and
applicants can seek to impose liability on employers in the event of a data
breach. Moreover, the inclusion of KeyPoint in the lawsuit is a reminder to
employers that they need to vet carefully any third party vendors to whom
they entrust employee or applicant personally identifiable information.
Employers should review their data security measures — as well as those of
their vendors — in light of the ever-evolving threat posed by hackers.
Employers need to ensure that the measures they have in place will be
viewed as reasonable in light of the type of personally identifiable
information that they obtain from employees (e.g., medical, financial,
personal, etc.) and their history of vulnerability in this area. Companies
should be expending the same level of effort to protect employee
information as well as consumer information. Indeed, some might argue that
a company’s duty of care to its employees is greater than the duty owed to
consumers. A consumer has a choice in the free market about to whom he or
she gives personally identifiable information; the same cannot necessarily
be said of an employee whose employer requires that certain financial
information be provided by the employee in order to have a paycheck
deposited or that certain medical information be provided in order or
process benefits.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!