Ever since the Internet became mainstream, protecting the personal information of consumers has been an ongoing concern. But only recently has this concern about protecting personal data expanded to employees. With greater awareness and worry about data breaches and identity theft, employees have begun taking legal action. Two cases from Illinois and Pennsylvania illustrate this fact.
Illinois: Employer Use of Biometric Data
Illinois became one of the first states to have a law that specifically protected biometric data. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA), which applies to not just the consumers, but employees. With respect to biometric data, the BIPA:
- Prohibits entities from profiting from biometric data.
- Imposes biometric data handling requirements.
- Requires anyone providing biometric data to first give informed consent.
- Allows individuals to sue if there is a BIPA violation, including bringing class-action lawsuits
One of the unique features of the BIPA is that it not only allows for a private cause of action, but it doesn’t require a plaintiff to have suffered actual harm to sue. As long as they were affected by the BIPA violation, they have standing to file suit. This makes it much easier to form a class-action lawsuit, which can potentially result in much large damage awards against defendants. Employers were reminded of these principles in a recent case involving the BIPA.
Sherman v. Brandt Industries
The plaintiff, Joseph Sherman (Sherman), was an employee of the defendant, Brandt Industries (Brandt). To assist in the recording of the hours its employees worked, Brandt had Sherman and its other employees “clock in” using their fingerprints.
Sherman alleges that Brandt violated the BIPA by not giving proper notice, not obtaining informed consent and not publishing its data retention and destruction policies concerning the fingerprint data.
In its motion to dismiss, Brandt’s primary argument was that Sherman did not have standing to sue because he did not suffer a concrete injury. The court rejected this argument, noting that the Seventh Circuit (for which Illinois is a part of) recognizes that an invasion of privacy is not automatically a procedural violation, but can also constitute a concrete injury. Specifically, that Sherman lost control of his biometric data and was at increased risk of having his biometric data stolen. The court also noted that the Ninth Circuit, in applying the BIPA, reached a similar conclusion.
This case is still in the early stages of litigation. However, Sherman and his potential class-action lawsuit survived a major hurdle when the court dismissed Brandt’s motion to dismiss.
Pennsylvania: Employer Duty to Safeguard Employee Data
In tort law, there’s the idea of the “reasonable person.” In deciding if a defendant’s conduct was negligent or otherwise wrongful, courts will usually compare the defendant’s actions to what a reasonable person or entity in the same situation would have done.
A few years ago, the Pennsylvania Supreme Court handed down an important decision that applied such a standard to the employment arena. Pennsylvania’s Supreme Court explicitly declared that employers had a legal duty to protect the personal information of their employees.
Dittman v. UPMC
Barbara Dittman, along with several other individuals (collectively, Dittman), filed a class-action complaint alleging that the University of Pittsburgh Medical Center and UMPC McKeesport (collectively, UPMC) breached a legal duty of reasonable care when all 62,000 UPMC employees were stolen from UPMC’s computers.
Part of their allegations included claims that UMPC did not take adequate steps to protect the data, such as not properly encrypting the data, not setting up sufficient firewalls and failing to establish adequate authentication requirements.
As a result of these failures, Dittman asserted that UPMC is legally responsible for this data breach. Providing this information was a condition of working for UPMC and resulted in instances of identity theft involving fraudulent tax returns.
The key issue was whether an employer had a legal duty to exercise reasonable care when storing sensitive employee information on computer systems that were accessible through the Internet. The Supreme Court of Pennsylvania answered this question in the affirmative and also concluded that under Pennsylvania’s economic loss doctrine and negligence tort theory, Dittman could recover actual damages.
This was a groundbreaking case because it unequivocally established an affirmative duty on Pennsylvania employers to protect the personal information of their employees. However, because many states recognize similar negligence and duty of care legal principles as Pennsylvania, it’s very possible for the legal reasoning in this case to be used by courts in other states.
Furthermore, this legal requirement placed on employers concerning employee data was created without the Pennsylvania legislature having to pass a data privacy law outlining data handling requirements, like was the case with the BIPA in Illinois.
What Does the Future Hold?
The Dittman and Sherman lawsuits are strong signals that indicate there is a growing trend for both increased scrutiny on employers to keep employee data safe and the willingness for courts to punish employers who fail to meet this obligation.
Given employees’ worries about keeping their personal information safe, and employers’ anxiety over how to protect the data, data trusts might be a promising solution to these concerns.