My company let my personal data get stolen. Are they responsible if I fall victim to identity theft?
I’ve just learned that my employer allowed our accounting manager to take payroll records home on a laptop, which got stolen in a home burglary. Now I have to worry that a thief has my Social Security number, home address and knows the ages of my children. Do I have legal recourse? What if my identity is stolen? Can I make my employer pay for any losses I experience?
Alaska and 47 other states have laws protecting personal information; however, A.S. 45.48 only requires that your current or former employer notify you that a security breach potentially compromises the security of your personal information.
You’re not the only employee who has wanted to hold your current or former employer liable for any identity theft problems that result from a laptop theft. On March 31, a U.S. District Court judge in Pennsylvania dismissed a proposed class action on behalf of 74,000 Coca-Cola employees after a former Coca-Cola technician claimed his identity was stolen because a laptop with his unsecured employee information fell into the wrong hands.
The judge in the case, Enslin v. The Coca-Cola Co., ruled that Coca-Cola was only responsible for their published code of conduct, which stated that Coca-Cola safeguarded employee records by collecting only necessary data and allowing only authorized employees to access the files for legitimate employer purposes. According to the judge, Coca-Cola didn’t have a more general obligation to safeguard its employees’ personal information.
In another well-known story, a U.S. Department of Veterans Affairs data analyst took home a laptop and disks containing the names, Social Security numbers and birth dates of 26.5 million individuals. When this employee’s home was burglarized, the laptop containing this data was stolen.
In this case, the Department of Veterans Affairs agreed to pay $20 million to current and former military personnel to settle a class action lawsuit, despite the laptop’s recovery and the FBI’s conclusion that the missing data hadn’t been accessed or improperly used.
The bottom line: While you can sue, you may or may not prevail.
Meanwhile, employers take unnecessary risks when they allow accounting or other personnel to load employee data on unsecured laptops. We urge our clients to ensure that electronic employee records are stored in a secure computer system and that any hard copies are kept in locked files and not taken off-site. An Alaska jury might easily find that an employer has a duty to safeguard its employees’ personal information. At a minimum, your employer should pay for a year of protective credit monitoring for you and your co-workers.
© Dr. Lynne Curry is author of ”Beating the Workplace Bully” and ”Solutions” as well as owner of the management/HR consulting/training firm The Growth Company Inc. Follow her on Twitter @lynnecury10 or at www.bullywhisperer.com.