.png)
Too often, the focus following a data breach or other type of cyber incident is communicating with the public and specifically, consumers. Businesses are rightly concerned about economic losses associated with operational interruptions, loss of goodwill, and potential lawsuits from consumers. Unfortunately, the businesses’ own employees are overlooked as liability sources.
Despite privacy policies often directed at the public, as well as current and future customers, they also apply to employees. Absent provisions in employee handbooks specifically disclaiming rights to privacy, employees enjoy a reasonable expectation of privacy in the workplace in places and things not typically shared with others (examples: cell phone data, desk drawers, private files). And, data breaches can violate the employee’s right to privacy, either through a general negligence claim or an implied breach of contract claim.
An employee's expectation of privacy in an office, desk, or cabinet is reduced by virtue of actual office practices and procedures, determined on a case-by-case basis. Examples of factors courts consider when evaluating an employee’s expectation of privacy include whether the work area was used exclusively by the employee, the extent to which others had access to the workspace, the nature of the employment, and whether office policies or regulations placed the employee on notice that the work area was subject to employer intrusions.
Therefore, when a cyber incident affects a business, courts are increasingly allowing employees to sue their employers directly for breach of implied contract (of privacy and use of reasonable measures to protect employee privacy). In Allen v. Wenco Mgmt., LLC, the Eastern District of Ohio (Case No.: 1:23 CV 103) found that Wendy’s Restaurant employees had standing to sue their employer for privacy injuries following a data breach and the increased risks of identity theft.
Decided in September 2023, the Allen court noted that Courts are split on whether an employee can sue his/her employer for breach of implied contract (for privacy) following a cyber incident. Both the U.S. District Court for the Central and Northern District of California previously dismissed the same claims as “conclusory and vague” and lacking “cognizable damages.” See Medoff v. Minka Lighting, LLC, 2023 WL 4291973, at 9 (C.D. Cal. May 8, 2023); Flores-Mendez v. Zoosk, Inc., 2021 WL 308543, 4 (N.D. Cal. Jan. 30, 2021).
In May 2023, the Western District of Kentucky in Savidge v. Pharm-Save, Inc., 2023 WL 2755305 (W.D. Ky, Mar. 31, 2023) sided with the employees, after several employees of a pharmaceutical company had their data exposed and one employee later learned that fraudulent tax returns were filed on her behalf. Again noting that other federal courts were split on whether to dismiss similar employee claims against employers following a data breach, the Savidge court ultimately held that “a jury may consider whether Plaintiffs are entitled to compensation for their increased risk of future harm as long as they can show a material risk of concrete harm coupled with any realized injury—which could be emotional harm, lost out-of-pocket expenses,” or some other future injury.
While far from standardized or easily predictable, employers must consider and take pro-active steps to mitigate employee-related claims following cyber incidents. To deflect the privacy and future injury claims, employers must adjust employee handbooks to ensure employees demonstrate informed consent regarding the employer’s privacy policies and that employers inform their employees that while it will make a reasonable effort to protect employee data, it cannot and does not make any guarantees or warranties of data security.