The U.S. legal system has much to say about employees’ duty to safeguard their employers’ proprietary or confidential information. Employees entrust a substantial amount of personal identifying information (PII) to their employers, but New Jersey employment laws have not defined employers’ legal duty to keep this information secure nearly as well. A recent decision from the Third Circuit Court of Appeals allows an employee’s privacy lawsuit against her former employer to proceed. The employee alleged negligence and other common-law claims after a data breach allowed hackers to obtain her PII and publish it on the “dark web.”
Most New Jersey employment laws relating to employee privacy address employers’ actions. A law that took effect in 2022, for example, prohibits employers from installing tracking devices on vehicles that employees drive without notifying them first. A 2013 New Jersey law prohibits most employers from compelling employees to provide access to their social media accounts. Federal laws like the Stored Communications Act could apply to employers who access employees’ private email accounts without permission.
An employer’s legal duty to protect employees’ PII from data breaches is less clear. PII may include birthdates, Social Security numbers, driver’s license numbers, and other information that fraudsters often find quite valuable. Identity theft and related crimes are a serious problem, resulting in billion of dollars in losses every year. The Federal Trade Commission (FTC) reports that it received almost 1.4 million reports of identity theft from consumers in 2021.
Employers in certain industries, such as finance or healthcare, have specific legal duties to protect private or sensitive consumer information. Those duties can arguably extend to employees as well. The case recently before the Third Circuit asserted common-law claims based on negligence and breach of fiduciary duty.
The plaintiff is a former employee of the defendant. It required her to provide PII, including her Social Security number, passport number, and information about her family. According to the court’s opinion, the employment agreement stated that the defendant would “take appropriate measures to protect the confidentiality and security” of the plaintiff’s PII. After the plaintiff’s employment had ended, a hacking group accessed the defendant’s servers. It obtained PII belonging to current and former employees, including the plaintiff, and attempted to ransom it. The defendant refused to pay, and the group followed through on its threat to publish the PII on the dark web.
The defendant promptly notified the plaintiff of the breach. She took quick action to mitigate the damage to her finances. She then filed suit for negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. She filed in federal court under the Class Action Fairness Act.
The district court dismissed the lawsuit under Rule 12(b)(6), finding that the plaintiff had not shown sufficient harm. A plaintiff must show an injury-in-fact or a risk of imminent harm to have standing to sue. An “increased risk of identity theft resulting from a security breach,” the court held, was not enough.
The Third Circuit disagreed and vacated the ruling. It held that the risk of harm was imminent, especially given that the hacking group had already published the plaintiff’s PII.
If your employer has breached a duty to you or violated your rights, you need a skilled and knowledgeable employment lawyer who can help you make a claim for damages. The Resnick Law Group represents workers in New Jersey and New York in federal and state employment law claims. Please contact us online, at 973-781-1204, or at 646-867-7997 today to schedule a confidential consultation to see how we can help you.