Extract from an article by Nicholas Jacobsen
Employers May Be Liable for the Release of Employees’ Personally Identifying Information in Data Breaches
In Sackin v. Transperfect Global, Inc., Judge Schofield of the U.S. District Court for the Southern District of New York held that NYLL § 203-d gave the plaintiffs a private right of action against their employer for the unauthorized release of their PII due to a data breach. At least one Transperfect employee received a phishing email, purporting to be from the CEO, that was actually sent by hackers, and provided the hackers with the W-2 forms and payroll information of all current and former Transperfect employees. The plaintiffs alleged that Transperfect failed to train its employees on data security, to utilize firewalls, and to maintain retention and destruction protocols for PII. They also asserted that hackers could use the employees’ PII to fraudulently obtain loans and credit cards, and to fraudulently file tax returns. After the breach, Transperfect offered the plaintiffs two years of free identity theft monitoring, but the plaintiffs purchased services to prevent identity theft instead.
The court found that the risks of identity theft set forth by the plaintiffs, as well as the costs incurred in purchasing identity theft protection services, gave the plaintiffs standing to sue their employer.
Extract from Sackin v. Transperfect Global, Inc. case overview via Casetext
Case Background for Sackin v. Transperfect Global, Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017)
Defendant understood the prevalence of cyber-attacks on corporate records and appreciated the gravity of the risk posed by such attacks. High-profile corporate data breaches dominated recent headlines, and 282 breaches were publicly reported between 2014 and 2015. Defendant’s own website warns clients that cyber-attacks “are neither new nor infrequent.” The website cautions, “never send your credit card number, Social Security number, bank account number, driver’s license number or similar details in an email,” because email “is generally not secure” and is the method of communication “most vulnerable to hacking.”
On or about January 17, 2017, at least one TransPerfect employee received a “phishing” email. The email appeared to come from TransPerfect’s CEO, but actually was sent by unidentified cyber-criminals. The email asked for the W–2 forms and payroll information of all current and former TransPerfect employees. Because TransPerfect’s cyber-security was not up to industry par, at least one TransPerfect employee sent the information to the hackers in an unencrypted format. As a result, cyber-criminals obtained Plaintiffs’ names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers and routing numbers.
Hackers can use PII to obtain by fraud employment, loans, credit cards and can file tax returns. Criminals can also use PII to steal government benefits and create false identification for use in further schemes. Stolen PII is frequently bought and sold amongst various criminals on “dark markets.” TransPerfect responded to the breach by offering Plaintiffs two free years of enrollment in an identity theft monitoring service. Plaintiffs purchased preventive service.