Last week, we briefly discussed the fallout from the devastating
hack
of Sony Pictures. This week the news
for Sony is only getting worse, leading to that company’s decision
to pull The Interview from theaters after threats were made
against employees, theaters and movie-goers.
So far, the hack has uncovered emails documenting casual
racism and gender wage gaps at Sony, among many
other revelations. While each new disclosure by the “Guardians of Peace” certainly
impacts Sony, and may impact the motion picture industry as a whole, there is one
aspect of the hack and its aftermath that has much broader implications and should
be on the radar of all employers: the class action lawsuit brought by Sony
employees affected by the breach.
The lawsuit
against Sony alleges that the hack accessed social security numbers, salaries,
medical information, and other sensitive information of more than 47,000 current
and former employees, due to Sony’s “business decision to accept the risk” that
they could get hacked. The claims in the
class action, which include negligence and violations of California and
Virginia data protection laws, also allege that Sony knew its vulnerabilities
and failed to encrypt
or password-protect employee information, even
while putting enhanced data security, now shown to be inadequate,
around the company’s movies.
This is not the first legal action brought against an employer
because of a data breach. Earlier this year, for example, employees of the University
of Pittsburgh Medical Center brought suit alleging that the Medical Center
failed to properly safeguard their private information. That lawsuit claims that approximately 62,000
employees were affected when the employers’ information system was hacked,
with some employees becoming victims of tax fraud while others had their
identities stolen. In another case, the
Federal Trade Commission brought
an action and eventually settled with Ceridian, a popular cloud-based HR
service provider, because of Ceridian’s allegedly inadequate security measures,
which the FTC claimed affected more than 65,000 people.
So far, the courts have not provided employers
meaningful guidance about their responsibility to protect employee information
from unauthorized electronic access. The
Sony and UPMC lawsuits may or may not result in such guidance. Having watched employment litigation for
decades, we’re inclined to think that these two cases – and the others that
will inevitably come – will attempt to answer classic negligence
questions. What are the limits of the
employer’s duty to protect electronic employment records? What should a
reasonable employer do? What safeguards are available, and which should a
reasonable employer use to protect sensitive employee information? These are questions that can’t be answered
without an understanding of both employment law and cybersecurity. Tomorrow, our friends Tom Caswell and Hernan Cipriotti
will chime in on this topic in a guest blog discussing lessons employers can
take away from the hacks of Sony and others.
Posted by: Kate Bischoff and Judy Langevin
