Employer Liability for Data Breaches: What Companies Should Know

Organizations are increasingly being held liable for breaches of employee data. But employers can take steps to mitigate the likelihood and impact of breaches. 

Any organization using an electronic payroll and benefits system stores and processes sensitive employee data — which covers just about every organization in operation today. There are many risks related to a cyber attack that compromises employee data, including legal liability, business interruption and reputational damage.

What is Employer Liability? 

Employer liability is the legal responsibility of an organization to adhere to laws and regulations. Employer liability has typically applied to issues like wages, payroll taxes, harassment and discrimination. 

For example, employees may sue their employer if the organization fosters an unsafe or hostile work environment. The company would have to pay damages if the court rules in favor of the employees.

What is Employer Liability For Cybersecurity? 

When it comes to cybersecurity, employer liability obligates an organization to protect the Personally Identifiable Information (PII) of employees. What PII is, exactly, varies from one jurisdiction to another. It is generally helpful to think of employee PII as data the HR and accounting teams manage.

Common types of employee PII include: 

• Social Security Numbers (SSNs) 
• Driver’s licenses
• Passports
• Taxpayer Identification Numbers (TINs)
• Home addresses
• Personal financial information (like salary or equity), bank accounts and credit/debit cards
• Medical records
• Email addresses and phone numbers

Growing arena of employer liability 

Much of what qualifies as employee PII is the same as customer PII. Until recently, many of the lawsuits brought against organizations after a data breach centered on the disclosure of customer data.

However, class-action lawsuits alleging employers were negligent, breached a contract or engaged in unfair business practices with their employees are gaining favor among courts, putting employers on the hook. Since the Pennsylvania Supreme Court ruled in November 2018 that employers have a common law duty to protect employee PII, courts at the federal, state and local levels have followed suit.

Importantly, employers are liable when there is a breach of employee data — not third-party providers. 

In a lawsuit brought by a former employee of a biopharmaceutical company, the United States Court of Appeals for the Third Circuit found a data breach only had to pose potential harm for an employer to be found liable. When the biopharma company’s payroll software leaked data in a breach, the employer was liable for the publication of employee data on the dark web, not the software company.

Privacy of employee data

Standard-bearing data privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), also have provisions requiring employers to protect the privacy of employee data as stringently as customer data. 

Under GDPR, organizations must gain voluntary and clear consent to collect, store and use employee data. They must outline how HR data will be used, for instance.

What Does Employer Liability Look Like After a Cyber attack?

CommonSpirit Health, one of the largest healthcare systems in the United States, suffered a ransomware attack in October 2022 impacting more than 623,000 individuals. The hospital chain shut down the affected system to stave off further damage to its IT environment, including its electronic timekeeping and payroll system. The company lost $150 million in revenue from the disruption.

After the company eventually restored service to its systems, nurses at some of the company’s sites in Oregon reported being underpaid in the pay periods following the attack. In an ongoing suit, the union representing employees at some of the chain’s sites in Oregon is seeking $1.5 million in damages for over 600 employees related to unpaid wages, late payment penalties and other damages. 

While this suit seeks redress of unpaid wages, other employee suits have sought damages related to the heightened risk or occurrence of identity theft against employees whose data was breached in an attack. 

Notable recent suits that have alleged employer liability after a cyber attack include: 

• Five Guys —  disclosure of job applicants’ Social Security numbers and driver’s licenses 
• San Francisco 49ers — theft of employee names, birthdates and Social Security numbers
• Macmillan — ransomware attack resulted in the publishing of employee data on the dark web and identity theft

The Business Impact of a Cyber attack

As with the CommonSpirit breach, cyber attacks impact businesses across a number of different areas.

• Legal Liability — Companies may be liable for damages after an employee data breach. These damages can include issues like the cost of replacing credit or debit cards, the cost of monitoring reports or other costs related to emotional distress from the risk of identity theft.
• Regulatory Penalties — Companies may face regulatory penalties, including fines for the breach or their failure to disclose the breach to affected parties.
• Reputational Fallout — Reputational costs can severely unsettle customer confidence and business performance. A marred public image, including with potential future employees, can jeopardize long-term business health. 
• IT Systems Outage, Restoration and Overhaul —  Though advised against by the FBI, organizations may choose to pay a ransom to restore access to their environment. In any case, as part of the forensic and recovery cost of any breach, businesses likely have to change, replace or update the IT systems that process employee and other sensitive data. 

How to Reduce Employer Liability in the Event of a Cyber attack

Employer liability and compliance with privacy regulations add heightened risk and cost to the already high expense of responding to a cyber attack. 

According to Keeper’s 2022 US Cybersecurity Census, the average US business faces about three successful cyber attacks each year. The average cost exceeds $75,000, with 37% of organizations paying $100,000 or more per cyber attack. For small-to-midsized businesses, the cost can be devastating.

Employers can reduce their liability from a cyber attack on employee data by making sure they are covered in the following ways:

• Cybersecurity Awareness Training — When employees can identify a suspicious link or attachment, they can keep their employer out of trouble. Employee education about the common signs of phishing or ransomware protects employees and organizations from falling victim to attacks.
• Employee Privacy Policy — In some areas, an employee data privacy policy may be required by law. Employee data privacy policies explain how employee data will be collected, stored and used.
• Setting Strong Passwords — Over 80% of data breaches are due to weak, stolen or re-used passwords. Having a way to create and store strong, random passwords enables employees to prevent the most common cause of data breaches.
• Privilege Management — A privilege management solution enables organizations to control permissions for and monitor the usage of critical accounts, limiting the risk of unauthorized access to sensitive information. 
• Vendor Security — It’s important to note that employers are liable for data breaches when a vendor leaks data, not third parties. Ensuring vendors are secure is critical to building a strong IT environment.
• Incident Response Plans — An incident response plan, which assigns ownership to critical activities like systems forensics, data recovery and strategic communications, should mitigate the liability and overall impact of a breach against an employer.
• Cyber Insurance — Cyber insurance can lessen the impact of a breach, helping businesses to mitigate their risk and cover the cost of their response. For organizations with low IT maturity, which are at a heightened risk of suffering a breach, many cyber insurance policies offer a readiness assessment to improve security practices and employee training programs.

Employer Liability and Privileged Access Management

Employers can mitigate liability and risk by controlling and monitoring access to sensitive accounts and information.

Keeper Privileged Access Manager (KeeperPAM) was created to protect multi-cloud, perimeterless environments from cyber attacks. By providing enterprise-grade password, secrets and privileged connection management in a simple platform, KeeperPAM enables organizations to cost-effectively reduce their attack surface and protect employees and devices.