The U.S. legal system has much to say about employees’ duty to safeguard their employers’ proprietary or confidential information. Employees entrust a substantial amount of personal identifying information (PII) to their employers, but New Jersey employment laws have not defined employers’ legal duty to keep this information secure nearly as well. A recent decision from the Third Circuit Court of Appeals allows an employee’s privacy lawsuit against her former employer to proceed. The employee alleged negligence and other common-law claims after a data breach allowed hackers to obtain her PII and publish it on the “dark web.”
Most New Jersey employment laws relating to employee privacy address employers’ actions. A law that took effect in 2022, for example, prohibits employers from installing tracking devices on vehicles that employees drive without notifying them first. A 2013 New Jersey law prohibits most employers from compelling employees to provide access to their social media accounts. Federal laws like the Stored Communications Act could apply to employers who access employees’ private email accounts without permission.
An employer’s legal duty to protect employees’ PII from data breaches is less clear. PII may include birthdates, Social Security numbers, driver’s license numbers, and other information that fraudsters often find quite valuable. Identity theft and related crimes are a serious problem, resulting in billion of dollars in losses every year. The Federal Trade Commission (FTC) reports that it received almost 1.4 million reports of identity theft from consumers in 2021.