Employers may be responsible for employee damages from cyber security hacks

Mail scams may be making a comeback, but the quickest, easiest, and most efficient way for a scammer or phisher to steal employees’ identities is to hack into your computer network. These attempts are more common than ever, and making a bad situation even worse — courts are increasingly holding employers responsible once there is a hack. Two recent cases, from two different states, using two different state laws, illustrate the risk.

Pay up: Maine wage-payment laws

Employee self-service portals are a great innovation for Payroll and HR. Employees can update their personal information without bothering you. But ESS portals are risky, too, because they create more points of entry into your computer network for phishers to create havoc.

The Maine Supreme Court has put the burden of ameliorating this havoc squarely on your shoulders by ruling that an employee whose ESS portal was phished was owed the wages the phisher stole.

An employee and 600 others were victims of what is now the classic HR phishing scam—they received an email purportedly from HR containing an embedded link. After clicking on the link, employees were sent to a fraudulent employee self-service portal and prompted to enter their usernames and passwords. Their pay was then rerouted to general-purpose debit cards. The employee was out $8,432.

The employer was notified of the theft and notified its bank and the FBI. The employer, however, only paid employees a portion of their stolen pay, reasoning it was entitled to rely on employees’ stolen credentials.

The employee naturally wanted all of his pay, so he sued, alleging the employer’s failure to pay was contrary to Maine’s wage-payment laws. State courts, including the state supreme court, agreed.

State supreme court: The wage-payment laws require a direct deposit to be routed into an employee’s account, so the employee actually possesses the funds. Because an employer doesn’t pay an employee unless the employee actually receives their wages, the employer failed to pay the employee at the time required by the wage-payment laws.

The case is Dorsey v. Northern Light Health.

Pay up (maybe): Georgia negligence laws

The 11th Circuit ruled that an employee whose name and Social Security number were stolen after his former employer’s administrative system was hacked could bring a class-action lawsuit under Georgia’s negligence law.

What is negligence? It’s handy to think of a negligence claim as a but-for claim. A party owes you a duty of care. The party failed to take reasonable care to avoid causing you damage, and but for the party’s failure to take reasonable care, you were injured.

That employees turn over all sorts of personal identifying information to their employers isn’t news. The W-4 is chock full of it. Here, the former employee’s personal identifying information was stolen after his former employer’s administrative system was hacked, and he sued, alleging his employer was negligent in storing his PII unencrypted.

This employee’s but-for analysis: But for the company’s failure to comply with industry standards appropriate for the nature of the sensitive, unencrypted information it was maintaining, his identity was stolen.

His employer wanted the case dismissed, arguing the employee’s lawsuit lacked allegations regarding the first part of the negligence analysis—it had a duty to safeguard employees’ PII under Georgia law. A federal trial court agreed; the 11th Circuit reversed.

Appellate court: The employer owed a duty of care to employees, since collecting employees’ PII was a condition of employment. Having found there was a duty of care, the court next concluded the risk of a hack was reasonably foreseeable and the employer needed to do something to secure the data, which it did not.

The case, Ramirez v. The Paradies Shops, LLC, now proceeds to trial.

The takeaway

Data-breach cases present a fairly new kind of personal injury, but so did cars at one time. Employers require the collection of employees’ PII for tax and benefits purposes, so it’s not a stretch to conclude that employers have a duty to take reasonable steps to safeguard this information.

What’s reasonable depends on the circumstances, of course, but small employers don’t have to spend a bundle on cybersecurity software.

You may find the following free resources helpful:

  • NIST, the National Institute for Standards and Technology, has resources devoted to small business cybersecurity.
  • The National Cybersecurity Alliance has information on four simple steps any employer can take to secure their data.
  • The Federal Trade Commission has a basic guide to cybersecurity.