While this suit seeks redress of unpaid wages, other employee suits have sought damages related to the heightened risk or occurrence of identity theft against employees whose data was breached in an attack. In an ongoing suit, the union representing employees at some of the chain’s sites in Oregon is seeking $1.5 million in damages for over 600 employees related to unpaid wages, late payment penalties and other damages. The company lost $150 million in revenue from the disruption.Īfter the company eventually restored service to its systems, nurses at some of the company’s sites in Oregon reported being underpaid in the pay periods following the attack. The hospital chain shut down the affected system to stave off further damage to its IT environment, including its electronic timekeeping and payroll system. What Does Employer Liability Look Like After a Cyberattack?ĬommonSpirit Health, one of the largest healthcare systems in the United States, suffered a ransomware attack in October 2022 impacting more than 623,000 individuals. They must outline how HR data will be used, for instance. Under GDPR, organizations must gain voluntary and clear consent to collect, store and use employee data. Standard-bearing data privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), also have provisions requiring employers to protect the privacy of employee data as stringently as customer data. When the biopharma company’s payroll software leaked data in a breach, the employer was liable for the publication of employee data on the dark web, not the software company. In a lawsuit brought by a former employee of a biopharmaceutical company, the United States Court of Appeals for the Third Circuit found a data breach only had to pose potential harm for an employer to be found liable. Importantly, employers are liable when there is a breach of employee data - not third-party providers. Since the Pennsylvania Supreme Court ruled in November 2018 that employers have a common law duty to protect employee PII, courts at the federal, state and local levels have followed suit. However, class-action lawsuits alleging employers were negligent, breached a contract or engaged in unfair business practices with their employees are gaining favor among courts, putting employers on the hook. Until recently, many of the lawsuits brought against organizations after a data breach centered on the disclosure of customer data. Much of what qualifies as employee PII is the same as customer PII. Personal financial information (like salary or equity), bank accounts and credit/debit cards.It is generally helpful to think of employee PII as data the HR and accounting teams manage. What PII is, exactly, varies from one jurisdiction to another. When it comes to cybersecurity, employer liability obligates an organization to protect the Personally Identifiable Information (PII) of employees. What is Employer Liability For Cybersecurity? The company would have to pay damages if the court rules in favor of the employees. Employer liability has typically applied to issues like wages, payroll taxes, harassment and discrimination.įor example, employees may sue their employer if the organization fosters an unsafe or hostile work environment. What is Employer Liability?Įmployer liability is the legal responsibility of an organization to adhere to laws and regulations. There are many risks related to a cyberattack that compromises employee data, including legal liability, business interruption and reputational damage. But employers can take steps to mitigate the likelihood and impact of breaches.Īny organization using an electronic payroll and benefits system stores and processes sensitive employee data - which covers just about every organization in operation today. Organizations are increasingly being held liable for breaches of employee data. Strengthen your organization with zero-trust security and policiesĪchieve industry compliance and audit reporting including SOX and FedRAMP Restrict secure access to authorized users with RBAC and policies Initiate secure remote access with RDP, SSH and other common protocols Manage and protect SSH keys and digital certificates across your tech stack Securely manage applications and services for users, teams and nodes Protect critical infrastructure, CI/CD pipelines and eliminate secret sprawlĪchieve visibility, control and security across the entire organization Securely share passwords and sensitive information with users and teamsĮnable passwordless authentication for fast, secure access to applications Seamlessly and quickly strengthen SAML-compliant IdPs, AD and LDAP Protect and manage your organization's passwords, metadata and files
0 Comments
Leave a Reply. |