Employers have tremendous control over their employees’ lives. Employers may influence employees’ schedules, decisions about where to live, appearance, and overall quality of life. Employers also control a massive amount of personal information—not only about current employees, but also about former employees and even job applicants. When employers fail to properly protect this information, they become vulnerable to data breaches and put employees’ financial health and privacy at risk. Currently, it is unclear whether employees can fully recover after their employer suffers a data breach, even though employees must be on constant alert to monitor their personal information once stolen.
When someone improperly breaches a company’s data, victims—those who entrusted their personal information to that company—must spend time and money to carefully monitor their information and change what they can to protect themselves from future identity theft.1See Margaret A. Dale & David A. Munkittrick, Data Breach Litigation, in Proskauer on Privacy 17-1, 17-7 to 17-8 (Ryan P. Blaney ed., 2d ed. 2020). If they do not, identity thieves may incur large debts in a victim’s name, ruining that victim’s credit history and leaving her to constantly deal with incessant creditors.2Ben Luthi, What to Know About the Effects of Identity Theft, Experian (July 23, 2019), https://perma.cc/864X-XSRE; see also Identity Theft Res. Ctr., Identity Theft: The Aftermath 2017 8 (2017) [hereinafter ITRC], https://perma.cc/VYT3-XNSJ. Victims may lose their ability to purchase a home, find rental housing, pay bills, and open credit cards.3ITRC, supra note 2, at 8. Identity theft victims often have to borrow money from friends and family, sell treasured possessions, and stop pursuing hobbies or taking vacations to pay thieves’ debts and restore their credit.4Id. at 7. Identity thieves may also commit crimes and give victims’ stolen names, addresses, and Social Security numbers to the police, leaving the identity-theft victim with an unearned criminal charge.5Luthi, supra note 2. Identity thieves may also simply decide to make private information public at no personal benefit but which may cause immense harm to a victim’s reputation.6See ITRC, supra note 2, at 11. To avoid these harms, data-breach victims must spend an average of $150 to change each piece of stolen personal information7Rob Sobers, 107 Must-Know Data Breach Statistics for 2020, Varonis (Sept. 24, 2020), https://perma.cc/LYA9-HSGU. and 200 hours—including time spent on hold with financial companies or standing in line at the DMV8See Gayle Sato, The Unexpected Costs of Identity Theft, Experian (Sept. 30, 2020), https://perma.cc/MR9K-8GD2.—to protect themselves against future identity theft. Seventy-seven percent of victims experience increased emotional distress in the process.9Id. These victims, however, often cannot gather enough evidence to bring their case to court to recover damages.10See Paul G. Karlsgodt, Baker & Hostetler LLP, Key Issues in Consumer Data Breach Litigation, Westlaw Practical Law 5-582-9285. Because hackers may not have used stolen data at the time victims discover that the breach occurred and that they are at risk, it is difficult for victims to plead any actual harm.11Id. But victims must act quickly to recover for any losses they may suffer in the future, for the more time that passes between a data breach and an identity theft, the less likely it is a victim will successfully tie the identity theft to a defendant’s conduct.12Daniel Bugni, Comment, Standing Together: An Analysis of the Injury Requirement in Data Breach Class Actions, 52 Gonz. L. Rev. 59, 62 (2017). On average it takes 280 days for a company to identify and contain a data breach. IBM, Cost of a Data Breach Report 2020, at 5 (2020).
While a proliferation of lawsuits has aimed to recover damages incurred for protecting against future identity theft after data breaches, most of these lawsuits originate from consumers, corporate shareholders, or government agencies.13Michael Hooker & Jason Pill, You’ve Been Hacked, and Now You’re Being Sued: The Developing World of Cybersecurity Litigation, 90 Fla. B.J., July–Aug. 2016, at 30, 31. Employees bring relatively fewer suits.14SeeNicole Kardell, Employer Liability for Data Breaches: Avoid Getting Eaten by Your Own, Ifrah law: Crime in the Suites (Jan. 31, 2018), https://perma.cc/2VJA-QH5K. And while some state statutes provide a private right of action and statutory damages for consumers in these cases, none exists that protects employees in the same way.15See Karlsgodt, supra note 10; Edward T. Kang, Data Breach Cases: An Analysis of Standing and Best Causes of Action, Law.com: The Legal Intelligencer (Nov. 11, 2020, 12:27 PM), https://perma.cc/U8ZW-7V4E; see also, e.g., Cal. Civ. Code § 1798.150 (West 2021). Therefore, it is uncertain whether employees can recover damages like other types of plaintiffs, as it is unclear whether employees have standing to sue in instances where their personal information is stolen during an employer’s data breach.16Karlsgodt, supra note 10.
To have standing to sue, employees must have suffered an injury that is “‘concrete and particularized’ and ‘actual or imminent,’”17Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). fairly traceable to their employer’s conduct,18Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017). and redressable by a favorable court decision.19Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014). In data breach litigation, pleading enough facts to show all of these elements is often difficult.20See Bugni, supra note 12, at 63 (explaining that although plaintiffs’ information is stolen at the time they bring suit, there is often no indication of financial damages at that time, so courts are likely to dismiss for lack of injury without more to show concreteness); see also Patrick J. Lorio, Note, Access Denied: Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution, 51 Colum. J.L. & Soc. Probs. 79, 105 (2017) (explaining that stolen data, without evidence of fraud or some other direct impact on the plaintiff, will not be enough to show a concrete injury). While the Ninth and DC Circuit Courts of Appeals have taken a flexible approach to standing when employees sued to recover for risk of future identity theft, the Third Circuit Court of Appeals has taken a much stricter approach.21See generally In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (OPM), 928 F.3d 42 (D.C. Cir. 2019); Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). The Ninth and DC Circuits held that employees had standing to sue in these cases because their injuries were real and not hypothetical.22OPM, 928 F.3d at 56; Krottner, 628 F.3d at 1143. By comparison, the Third Circuit dismissed employees’ injury claims from increased risk of future identity theft after their employer suffered a data breach as too hypothetical and speculative.23Reilly, 664 F.3d at 42. The divergence in these circuits has left employees with no clarity on whether they may recover their losses after their employer has failed to protect their data.
This uncertainty negatively affects employees. If employees are uncertain as to whether they may sue, they might decide not to and will ultimately bear the costs of their employer’s security problems—meaning that they must use some of their hard-earned wages to pay for their employer’s mistake. Alternatively, employees may decide to sue their employer despite the uncertainty, which could lead to high legal fees, added tension with their employer, and, if they lose, the entire cost burden from the data breach. With a clear rule, settlement would be more likely, which would benefit employees by allowing them to get faster payouts, pay less in legal costs, and keep personal details confidential.24See Gregory Thyberg, Employment Lawsuit Mediation/Settlement vs. Going to Trial, ThybergLaw (Nov. 29, 2017), https://perma.cc/AD47-MFU3. To combat uncertainty and provide a clear rule, this Comment argues that courts should find that employees have standing to sue their employer for increased risk of future identity theft after an employer’s data breach, as long as employees are able to sufficiently plead that: (1) a thief acquired personal information; (2) the thief can use the acquired information to engage in unauthorized transactions; (3) the breach can be traced to the employer; and (4) the employees’ injuries are redressable. Additionally, Congress and state legislatures should enact legislation to establish a private right of action and statutory damages in these cases—especially in instances where employees cannot meet the standing threshold—so employers are not shielded from liability for failing to protect employees’ personal information.
Part I of this Comment briefly overviews the current, limited consumer protection statutory framework and explains why employees are not protected—nor likely to be protected in the near future—under this framework. Because this framework does not protect employees, they must rely on Article III standing to sue. Part II discusses general standing requirements in Section A, employees’ struggles to meet standing requirements in data breach cases in Section B, and the current division in the circuit courts in Section C. Part III analyzes the effects of the inconsistencies among the circuit courts in employee standing and argues that courts should find standing to sue for risk of future identity theft if plaintiffs include certain allegations in their complaint. This Part also argues that Congress and state legislatures should enact legislation to protect employees—similar to the protections afforded consumers in many jurisdictions—when they do not have sufficient information about a breach to establish standing. This solution provides employees with more certainty and protection, fairly provides employers with notice, and eliminates employers’ liability shield in data breach cases. If this liability shield remains intact, employees will only suffer more as new technology allows employers to collect more and more data and allows hackers to get more creative with ways to steal employees’ personal information.
I. The Current Consumer Data Protection Statutory Framework Does Not Provide Employee Protection
To best understand the urgent need for employee data protection, it is helpful to have a partial understanding of the current consumer protection statutory framework, and how this limited framework leaves employees to fend for themselves when their data is stolen, making them much more susceptible to extreme harm like destroyed financial independence or reputation.
A. The Current Consumer Data Protection Statutory Framework
There is no one federal law governing consumer data privacy in the United States, meaning the current consumer framework is a hodgepodge of federal sector-specific and state laws.25Noah Ramirez, Data Privacy Laws: What You Need to Know in 2020, Osano (Nov. 8, 2020), https://perma.cc/C7V6-KENF. This current patchwork limits its protection to consumers, who are inherently different from employees in the data breach context.26See infra Section I.B.
The federal sector-specific laws require companies to take reasonable measures to protect consumer data in very limited instances: when consumers provide this information to obtain credit,27Fair Credit Reporting Act, Pub. L. No. 91-507, 84 Stat. 1128 (1970) (codified as amended at 15 U.S.C. §§ 1681–1681t); see also Varonis, US Data Protection: Compliance and Regulations 7 (2020). financial services,28Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified in scattered sections of 15 U.S.C.); see also Varonis, supra note 27, at 8–9. health insurance, or health care.29Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936; see also Varonis, supra note 27, at 12–14. Companies that violate these laws may be required to pay penalties,30See, e.g., Varonis, supra note 27, at 7, 8, 13. and under the Fair Credit Reporting Act (“FCRA”), parties may also be liable for consumers’ actual damages within certain limitations.3115 U.S.C. § 1681n(a) (for example, a company that does not comply with the FCRA may be liable to affected consumers for “any actual damages sustained by the consumer . . . not less than $100 and not more than $1,000”). These federal statutes either specifically apply their penalty provisions to consumers32See, e.g., id. (“Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable . . . .” (emphasis added)). or do not cover employment records,33Employers and Health Information in the Workplace, U.S. Dep’t of Health & Hum. Servs. (Nov. 2, 2020), https://perma.cc/8U2J-BT5P (“[HIPAA’s] Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.”). and only apply in contexts where a consumer is providing data in exchange for a good or service (and not as a condition of employment).34See 15 U.S.C. § 1681 (applying to consumers who access their credit reports); 15 U.S.C. § 6821 (applying to customers accessing financial services); 45 C.F.R. § 160.102 (2020) (HIPAA covers health plans and health plan providers, protecting the data of the individuals who access, or the consumers of, these services); see also Stephanie Comstock Ondrof, Comment, “Senator, We Run Ads”: Advocating for a US Self-Regulatory Response to the EU General Data Protection Regulation, 28 Geo. Mason L. Rev. 815, 826 (2021) (“[HIPAA] protects oral and recorded information about a patient’s past, present, or future ailments.” (emphasis added)).
For example, the FCRA serves to protect information consumers provide to credit reporting agencies in exchange for credit reports, and requires that these “reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit . . . in a manner which is fair and equitable to the consumer.”3515 U.S.C. § 1681(b) (emphasis added). While an employer may access a version of an employee’s credit report,36Elizabeth Gravier, Can Employers See Your Credit Score? How to Prepare for What They Actually See When They Run a Credit Check, CNBC(Aug. 27, 2020), https://perma.cc/AV3Z-U6P2. the FCRA does not extend its protections to that employee.3715 U.S.C. § 1681a(o) (communications by consumer reporting agencies to a perspective employer for the purpose of “procuring an employee” are specifically excluded); see also § 1681c(b)(3) (consumer reporting agencies are allowed to include more data in reports to be used in connection with employment of an individual whose expected annual salary will be more than $75,000). Further, “[t]he FCRA does not apply when an employer does its own investigation . . . .”38When Do Employers Need to Comply with the Fair Credit Reporting Act?, SHRM (July 30, 2018), https://perma.cc/A4RK-9PNX.
On March 12, 2020, a bill to create a more comprehensive consumer data protection scheme was introduced in the Senate: the Consumer Data Privacy and Security Act of 2020.39Consumer Data Privacy and Security Act of 2020, S. 3456, 116th Cong. (2020). The Act would not allow companies to collect or process “personal data” unless the individual consents or the data collection is for one of six express permissible purposes40Id § 3(a), (c).—meaning the legislation is very broad and highly protective of consumers. The term “personal data,” however, expressly excludes “employee data” and “information about employees or employment status collected or used by an employer pursuant to an employer-employee relationship, including information related to prospective employees and relevant application materials,”41Id § 2(9)(C). While it is unclear why employee data is expressly excluded from the Consumer Data Privacy and Security Act of 2020, some argue that employee information is excluded from this type of legislation because it would be unduly burdensome for employers to implement both consumer and employee data protection at once. Business groups are therefore fighting hard for these types of exclusions. See Issie Lapowsky, The Debate over Workers’ Electronic Privacy Is Dying Right When It’s Needed Most, Protocol (June 1, 2020), https://perma.cc/2NBG-5KY7. to minimize employers’ burdens. Express consumer consent to data collecting or processing is required if that data collection involves disclosure to third parties.42S. 3456 § 3(b)(1)(B)(II). Consent is not required if the data is collected in the performance of a contract, among other situations.43See id. § 3(c). While the Act provides for civil penalties, it does not provide a private right of action, so individuals cannot sue to recover damages from a data breach if they do not independently have Article III standing.44See Gregory M. Kratofil, Jr. & Elizabeth Harding, Federal Privacy Legislation Update: Consumer Data Privacy and Security Act of 2020, Nat’l L. Rev. (Mar. 14, 2020), https://perma.cc/B6YZ-WL37. The Bill was referred to the Senate Committee on Commerce, Science, and Transportation on the day of its introduction but no action has been taken since.45S.3456 – Consumer Data Privacy and Security Act of 2020, Congress.gov, https://perma.cc/RH5W-XU5S (no action has been taken as of mid-July 2021 when this Comment was finalized for publication).
State consumer protection laws are often much more comprehensive than the federal sector-specific laws, yet they still do not extend their protections to employees. The California Consumer Privacy Act (“CCPA”)—“the most comprehensive state data privacy legislation to date”—went into effect on January 1, 2020.46Zachary McDaniel, How to Not Get Sued: Data Privacy Laws Explained, LeadsBridge (Oct. 13, 2020), https://perma.cc/E2H4-3VHT. The CCPA positions consumers as the owners of their personal information and provides them with rights to: (1) know what personal information businesses collect about them; (2) know to whom businesses sell their personal information to (and allows individuals to opt out of its sale); (3) access personal information that has been collected; and (4) request that a business deletes personal information.47Mark Diamond, Quick Overview: Understanding the California Consumer Privacy Act (CCPA), Ass’n of Corp. Couns. (July 26, 2019), https://perma.cc/YEM5-QTLJ. The CCPA also grants a private right of action in some circumstances coupled with statutory damages from $100 to $750 per incident, meaning that data breach victims can sue to recover damages expended to protect against the risk of future identity theft without having to prove they suffered actual identity theft.48Id.; see also Kevin Benedicto, W. Reece Hirsh, Mark Krotoski, Carla Oakley & Gregory Parks, Preparing for the CCPA Private Right of Action for Certain Security Incidents, JD Supra (Jan. 6, 2020), https://perma.cc/7B4A-DZAV (“Under the law, California consumers have a private right of action when their ‘nonencrypted and nonredacted personal information’ is ‘subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.’” (quoting Cal. Civ. Code § 1798.150(a)(1) (West 2021))). Unlike last year’s Senate bill, the CCPA originally covered employees and included employment-related information in its personal data definition.49Skadden, California Consumer Privacy Act: A Compliance Guide 5–7 (2019). In late 2019, however, California Governor Gavin Newsom signed a CCPA amendment that exempts some employee data from its coverage: human resources data, emergency contact information, and third-party benefits information.50Fares Alkudmani, AB-25: What this CCPA Amendment Means for Employers and Employees, Secure Privacy (Jan. 13, 2020), https://perma.cc/QDD6-8W5J; see also CCPA-/CPRA-Related Amendment Tracker, IAPP (June 22, 2021), https://perma.cc/WDD4-GJ9W. Further, in late 2020 Governor Newson signed an additional amendment that extends any exemptions keeping employment information outside of the CCPA’s coverage until 2022,51CCPA-/CPRA-Related Amendment Tracker, supra note 50. and California voters passed Proposition 24 (the Consumer Personal Information Law and Agency Initiative) in late November, which extends these exemptions until January 1, 2023.52Kelly Scott, AB 1281 Extends Employee Personal Information Exemption from Consumer Privacy Act, JD Supra (Oct. 15, 2020), https://perma.cc/Y58L-CPQH;California Proposition 24, Consumer Personal Information Law and Agency Initiative (2020), Ballotpedia, https://perma.cc/K63S-NYU9. The Proposition’s extension of the employee-data exemption “allows employers to continue secretly gathering [personal employee information] for . . . years to come.”53Cal. Sec’y of State, Official Voter Information Guide 71 (2020), https://perma.cc/S33H-R2N3 (publishing an argument in opposition to Proposition 24 submitted by Californians for Real Privacy). The original exemption was a compromise between business groups that fought to exclude employee data from the CCPA—to lessen the legislation’s compliance burden on employers—and labor groups supporting the inclusion of employee data to protect employees.54See Lapowsky, supra note 41. This compromise seems to be weighing in favor of the business groups who fought for exclusion, as multiple extensions have made it a key feature of the CCPA.
Other states have enacted consumer data protection legislation, although all less comprehensive than the CCPA.55Sarah Rippy, US State Comprehensive Privacy Law Comparison, IAPP (Mar. 3, 2021), https://perma.cc/H532-AHZ9. For example, Maine’s statute only covers broadband internet service providers,56S.P. 275, 129th Leg., 1st Reg. Sess. (Me. 2019). and Nevada’s statute simply requires that any data collector implement and maintain “reasonable security measures to protect [data] from unauthorized access, acquisition, destruction, use, modification or disclosure” without outlining what “reasonable” security measures involve.57Nev. Rev. Stat § 603A.210 (2019) (emphasis added). A few other states have proposed or enacted legislation similar to the CCPA, like Washington, New York, and, most recently, Virginia; however, these bills do not add much in the way of employee protection.58SeeRippy, supra note 55; see also Comstock Ondrof, supra note 34, at 843–45 (detailing the proposed Washington Privacy Act, which is limited and does not provide a private right of action, and the New York Privacy Act, which is very comprehensive but nearly impossible to comply with in its current state); Sarah Rippy, Virginia Passes the Consumer Data Protection Act, IAPP (Mar. 3, 2021), https://perma.cc/SY8F-C22A (noting that Virginia’s Consumer Data Protection Act expressly excludes employees from its definition of “Consumer”). For example, Virginia’s Consumer Data Protection Act explicitly omits employees from its protections.59Rippy, supra note 58. Several other states have proposed similar legislation, much of it dying in committee; yet, a few state legislatures are actively drafting bills that may pass in the near future.60Rippy, supra note 55. This state of affairs—a hodgepodge of federal sector-specific laws with its limited coverage supplemented by a tiny fraction of states that have enacted legislation—makes it clear that the current US consumer data protection statutory framework leaves much to be desired, especially for those unprotected because their data was stolen in the employment, and not consumer, context.
B. How Employees Are Not Protected Under This Framework
The current consumer protection statutory framework does not protect employee information, as the current pieces of the patchwork that make up US consumer data protection legislation often expressly exempt employees from its coverage and neglect to consider employees’ unique position. For example, the CCPA classifies consumers as the owners of their personal information but denies employees the same data ownership, allowing employers to own their employees’ data instead. These employers have access to an extremely wide range of employee personal information, the collection of which is often required61See Deborah Tam, How Employers Can Avoid a Data Breach and What To Do if It Occurs, Thomson Reuters: Tax & Acct. (June 25, 2019), https://perma.cc/3668-VCVR. and is not always done with employee consent.62See Matthew W. Finkin, Privacy in Employment Law 355 (3d ed. 2009).
Employers routinely collect a wide variety of employee data including addresses, Social Security numbers, email messages and other correspondence, internet history, phone usage, notes on reasons for leaving the company, credit information, immigration forms, and documents related to internal and external complaints and investigations.63Seeid.; see also Complying with Employment Record Requirements, SHRM (Apr. 4, 2018), https://perma.cc/XYL2-EAF8(listing what types of employee personal information an employer must collect). During the COVID-19 pandemic, software companies, like Zoom, began providing to employers reports and logs that track employees’ daily productivity. Zoom even provides employers with an attention-tracking feature, which allows employers to see if employees are paying attention during meetings. Adam Janofsky, You Can Track Employees Working from Home. But Should You?, Protocol(Mar. 23, 2020), https://perma.cc/7SCL-F5AG. Employers also often have access to employees’ medical information, including fitness-for-duty test results, disability accommodation requests, drug and alcohol test results, medical reimbursement requests, information about family member health, and information about past and present medical conditions.64Complying with Employment Record Requirements, supra note 63. “The FCRA reports exclude preplacement or fitness-for-duty physicals or any reports generated internally by an employer, such as internal reference checking. Drug tests . . . will likely be covered if reported to the employer from a consumer-reporting agency.” When Do Employers Need to Comply with the Fair Credit Reporting Act?, supra note 38. And with new technology, employers are able to collect even more employee data with ease; employers may be able to track female employees’ menstrual cycles through apps or use wearable technology to track employees’ locations.65Lapowsky, supra note 41. Some employers are even implanting Radio Frequency Identification Device (“RFID”) chips in their employees’ skin, which transmit—often without the implanted employee’s knowledge—a wide-variety of data including location, sleep duration, and blood pressure.66Sarah Gallo, Microchipping Employees: A Rising Trend in the Future of Work?, Training Indus. (Jan. 28, 2020), https://perma.cc/8E3L-F3TD. All of this employee-data collection and tracking is generally legal, and consent is not always necessary.67See Tom Spiggle, Can Employers Monitor Employees Who Work from Home Due to the Coronavirus?, Forbes (May 21, 2020, 9:48 AM), https://perma.cc/YL55-JXLB. For instances where consent is required, it is often given but not in a meaningful way, as there are few policies in place that keep an employer from retaliating against employees who refuse to consent.68See Lapowsky, supra note 41.
Employer control and ownership of this vast amount of employee data comes with lots of privacy risks. Some employee information is stored in personnel records, which need not be maintained in secure confidential files.69Complying with Employment Record Requirements, supra note 63. While credit, medical, and immigration information must be stored confidentially and must meet some additional storage requirements, this information is only protected as far as employers actually have proper privacy policies and systems in place.70Id. Employers are free to choose whether they store this information electronically or in paper form,71Id. unlike companies that must strictly comply with consumer protection standards set in statutes. If employers choose to use electronic record-keeping systems, they may choose between cloud-based systems, which are easier to use, or private on-premises systems, which provide more control.72Id. Both systems have drawbacks and may be accessible to hackers who take advantage of unencrypted information and vulnerabilities in software and systems,73Aliah D. Wright, How to Prevent Data Breaches, SHRM (Sept. 28, 2015), https://perma.cc/CPT9-WYLK. or even to disgruntled current and former employees.74See 10 Data Leaks that Have Cost Fortune 500 Companies a Fortune, Secude (May 27, 2019), https://perma.cc/MR76-9EL7 (Tesla filed a lawsuit against one of its previous employees who was found to have leaked sensitive data); 61% of CIOs Believe Employees Leak Data Maliciously, Help Net Sec. (Mar. 27, 2019) [hereinafter Help Net], https://perma.cc/72M7-FEYH (“23% of employees who intentionally shared company data took it with them to a new job.”). Further, the new technologies employers are using to track employees or collect their data, like wearable technology or apps, have their own privacy concerns, as third-party software is not controlled by the employers who access them and can be hacked.75See Lapowsky, supra note 41. Similarly, identity thieves can use easily obtainable RFID readers to gain unauthorized access to personal information from employees implanted with RFID chips without the implanted person’s knowledge wherever that person goes.76See Gallo, supra note 66.
Employers are required to keep certain employee information for a long period, further increasing privacy concerns.77Complying with Employment Record Requirements, supra note 63. While the US Equal Employment Opportunity Commission requires that employers store records for one year after termination,78Recordkeeping Requirements, U.S. Equal Emp. Opportunity Comm’n, https://perma.cc/EY8Z-ES9Y. employers often wait to purge employee files for seven years, as this typically covers other state and federal regulations and statutes of limitations.79Complying with Employment Record Requirements, supra note 63. Employers often keep employee records not only to comply with state and federal statutes but also to defend against any future employee litigation. Id. Further, some employers are required to keep rejected applications and resumes for two or more years.80See What Are the Federal Record Retention Guidelines for Applications and Resumes of Candidates We Do Not Select?, SHRM, https://perma.cc/R4KH-P9PB. This means employees who have long left a company, or never even worked for that company, may be vulnerable to a data breach. For example, in 1999, a then-current Ligand Pharmaceuticals Inc. (“Ligand”) employee found records of former employees of a company Ligand had previously acquired.81Amy Johnson, Suit Claims Pharmaceutical Company Responsible for Employees’ Identity Thefts, San Diego Source (Oct. 2, 2000), https://perma.cc/P62L-CRQM. The records included “names, addresses, Social Security numbers . . . , birth dates and other data,” which she then stole and used to rent three apartments, open twenty cell phone accounts, and purchase over $100,000 in goods through numerous credit card accounts.82Susan J. Wells, Stolen Identity, SHRM (Dec. 1, 2002), https://perma.cc/5WUX-7VQN. These victims never had a relationship with Ligand, as they were former employees of a company Ligand acquired four years earlier, yet Ligand’s data breach left them vulnerable.83Id. (“Ligand had a strict policy safeguarding data pertaining to current employees, but . . . the firm didn’t apply that same standard of protection to the files [obtained as a result of the acquisition].”.
As in the case of the Ligand data breach, employees are often responsible for security incidents leading to data breaches, meaning employees have a tremendous responsibility to protect their colleagues’ data—a responsibility absent in the consumer context.84See Lisa Nagele-Piazza, Employees Are Key To Curbing Data-Breach Risks, SHRM (Nov. 20, 2018), https://perma.cc/YE7J-5Y4W. Fifty-three percent of companies estimate that every employee has access to more than 1,000 files that contain sensitive information about their colleagues.85Sobers, supra note 7. Employees may access these folders using nonsecure devices that hackers can easily access or even may maliciously copy this data onto personal devices for current or future harmful use—meaning the employee may use or sell the data after terminating their relationship with their employer.86Help Net, supra note 74. Yet, data security training, including training on how to recognize security threats, is “the most underspent sector of the cybersecurity industry.”87Abi Tyas Tunggal, 116 Must-Know Data Breach Statistics for 2020, UpGuard (Aug. 5, 2020), https://perma.cc/DM9R-UX9B.
Lack of training means employee information is constantly under threat. For example, a disgruntled employee of Coca-Cola stole fifty-five laptops from the company throughout his employment, giving him access to the sensitive data of more than 74,000 individuals.88John E. Dunn, Coca-Cola Suffers Data Breach After Employee “Borrows” 55 Laptops, CSO (Jan. 28, 2014, 7:00 AM), https://perma.cc/KK2S-EY4Z. Eighteen thousand of these data records contained Social Security numbers.89Id. It ultimately took six years for the security threat to be discovered, and it wasn’t until the laptops were recovered that the company, or its other employees, knew the data was stolen.90Id. Coca-Cola experienced the same problem again in 2017 when a different employee compromised the data of 8,000 employees after stealing a hard drive.91Isaac Kohen, Coca-Cola Discloses Insider Attack, 8,000 Affected by Breach, IT Sec. Cent. (June 8, 2018), https://perma.cc/842V-KQLG. Consumers do not have such unfettered access to other consumers’ personal data in this same manner.
The current consumer protection statutory framework fails to protect employee data, as it expressly excludes employees from many of its protections and fails to implement additional, necessary employee protections. Under this framework, employees do not ever have a private right of action to sue for damages incurred when protecting against potential future identity theft. This leaves employees extremely vulnerable to future identity theft without any remedy; a fact that is especially concerning as employers collect and store vast amounts of data about their employees, with current technology allowing employers to collect more data than ever. Without the provision of a private right of action, employees can only sue their employer after a data breach if they have standing. When looking at data breach litigation in the employee context, courts are divided as to whether plaintiff-employees should have standing to sue their employer for risk of future identity theft.92See generally In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (OPM), 928 F.3d 42 (D.C. Cir. 2019); Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
II. The Wide Divide in What is Required for Employee Standing After a Data Breach
For employees to recover for injuries arising from the risk of future identity theft after their employer suffers a data breach, employees must satisfy the Constitution’s Article III standing requirements, so the case is justiciable.93Lorio,supra note 20, at 82–84. This threshold is difficult to meet when a plaintiff is suing based on injuries from the risk of future identity theft. While numerous circuits have opined on standing in consumer-data-breach cases,94See generally Bugni, supra note 12 (discussing Article III standing in data breach cases). relatively few have specifically discussed standing in employee-data-breach cases,95See Hooker & Pill, supra note 13. where meeting standing requirements may be quite difficult. The circuits that have weighed in on this issue have disagreed with each other.96OPM, 928 F.3d at 49, 53 (holding that past, present, and prospective government-employee plaintiffs whose information was stolen through a cyberattack of OPM’s data system had Article III standing); Reilly, 664 F.3d at 40, 42 (holding that employee-plaintiffs harmed by a security breach of the employer’s payroll processing contract provider lacked standing because the injury was based on a risk of future harm); Krottner, 628 F.3d at 1140, 1143 (holding that Starbucks employees whose private information was on a stolen laptop had standing to sue because they “alleged a credible threat of real and immediate harm stemming from the theft”); see also Lorio, supra note 20, at 91–111 (discussing disagreements between courts as to whether a suit alleging harm from risk of future identity theft meets standing requirements generally). To understand standing in the employment context, it is essential to examine standing requirements generally.
A. Standing Requirements Generally
Article III standing requirements limit the class of litigants able to maintain a lawsuit in federal court to recover for a legal wrong.97Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). This “serves to prevent the judicial process from being used to usurp the powers of the political branches.”98Id. (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 408 (2013)). In Spokeo, Inc. v. Robins,99136 S. Ct. 1540 (2016). the Supreme Court held that to meet the Constitution’s standing requirements, plaintiffs must allege that: (1) they “suffered an injury in fact”; (2) the injury is “fairly traceable to the challenged conduct of the defendant”; and (3) “a favorable judicial decision” would likely redress the injury.100Id. at 1547 (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). The party invoking federal jurisdiction must establish and support these elements with the manner of evidence required at the stage of the litigation in which the court is analyzing standing.101Lujan, 504 U.S. at 561. If the court is analyzing standing at the pleading stage, for example, “general factual allegations . . . may suffice,” but at a later stage—perhaps in response to a summary judgment motion—specific facts are needed.102Id. Each of these requirements has its own specific elements,103See, e.g., Spokeo, 136 S. Ct. at 1547–48 (citing Lujan, 504 U.S. at 560). which all must be understood to provide a full picture of the hurdles employees meet in data breach cases.
B. Elements of Standing and Problems Employees Face in Meeting Them
When a plaintiff wants to sue for risk of future identity theft after a company experiences a data breach, she must attempt to determine what happened to her information to bring a complaint that will sufficiently meet standing requirements. At the time of filing, she may have not yet suffered any actual financial loss because the identity thief may not use her personal information until a future time.104Bugni, supra note 12, at 66. Plaintiffs cannot know when or if thieves will use their information.105Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011). Alternatively, a hacker may have been unable to effectively access personal information sufficient to allow him to commit identity theft.106See id. After a data breach plaintiffs often do not have enough information to determine which scenario they are facing, thus they struggle to meet each element of the standing requirements.
1. Injury in Fact
To have standing, the plaintiff must sufficiently plead that they have suffered an injury in fact, which ensures that the plaintiff has a “personal stake” in the controversy’s outcome.107Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). The Supreme Court defined an injury in fact as an “invasion of a legally protected interest” that is both “concrete and particularized,” and “actual or imminent.”108Lujan, 504 U.S. at 560 (quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)). The injury cannot be merely “conjectural or hypothetical.”109Id. (internal quotation marks omitted).
A concrete and particularized injury must exist, individually affect the plaintiff, and cannot merely be an injury only others suffer.110Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). For example, an employee whose information a hacker did not steal has not suffered a concrete injury in fact and has no standing to sue on behalf of other employees. Yet, an injury need not be easy to prove to be concrete.111See id. at 1549 (“For example, the law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.”). This does not always help plaintiff-employees in data breach cases, as these plaintiffs often cannot allege enough facts in the complaint to show that a concrete injury occurred. These plaintiffs have little to no evidence about what happened to their personal information once it left the defendant-employer’s control and, therefore, cannot meet this low bar.112Karlsgodt, supranote 10. Plaintiff-employees may not even be able to determine if the hacker accessed their personal information at all.113See Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011).
Additionally, an injury in fact must be actual or imminent. An actual injury is one that has already occurred114See Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014).—for instance, where an employee’s data was used in an unauthorized transaction after a data breach—whereas an imminent injury is one that is “certainly impending.”115Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (emphasis omitted) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 565 (1992)). An allegation of future injury may satisfy the imminent requirement if “there is a substantial risk that the harm will occur.”116Driehaus, 573 U.S. at 158 (internal quotation marks omitted) (quoting Clapper, 568 U.S. at 414 n.5). Some courts, relying on Clapper v. Amnesty International USA,117568 U.S. 398 (2013). have held that the potential for future identity theft after a data breach is not enough to establish an imminent injury because the risk that a hacker may use stolen data is too speculative and not substantial.118Karlsgodt, supra note 10. On the other hand, a rising number of courts have disagreed, calling the risk “sufficiently substantial,” so “incurring mitigation costs [to protect one’s identity] is reasonable.”119Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388 (6th Cir. 2016); see also Karlsgodt, supra note 10. Further, it is unclear whether courts will be likely to find an imminent injury in fact when a defendant-employer offers credit monitoring services after a data breach, as these services make risk of future identity theft even more speculative.120Karlsgodt, supra note 10. The injury-in-fact requirement is the most difficult for plaintiffs in data breach cases to satisfy due to the lack of evidence available and the wide division in the courts on the matter.121Megan Dowty, Comment, Life is Short. Go to Court: Establishing Article III Standing in Data Breach Cases, 90 S. Cal. L. Rev. 683, 688 (2017); see also infra Part III.A.
2. Traceability or Causation
The second standing requirement is that the alleged harm “is fairly traceable to the challenged conduct of the defendant,”122Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). a requirement data-breach plaintiffs can satisfy more easily than the first, yet challenges remain.123See Karlsgodt, supra note 10; see also Dowty, supra note 121, at 694 (stating that the causation requirement is satisfied where a business admits customer information has been exposed by sending a notification of data breach). To show traceability, the defendant’s conduct need not be the most immediate cause of the injury or even a proximate cause, but the injury must merely be “fairly traceable” to the defendant.124See Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 125–26 (2014). In the consumer-data-breach context, courts have held that if a company alerts consumers that their personal information has been stolen, this is sufficient to trace the injury to that company.125See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 690, 693 (7th Cir. 2015). However, if multiple data breaches at different companies happen simultaneously or close in sequence, plaintiffs with accounts or information profiles at each of these companies may struggle to prove that their harm is traceable to a breach at one particular company.126John Biglow, Note, It Stands to Reason: An Argument for Article III Standing Based on the Threat of Future Harm in Data Breach Litigation, 17 Minn. J.L. Sci. & Tech. 943, 961 (2016). And, in cases without a breach alert, even if a plaintiff can determine that stolen personal information was used after one particular hack, not all courts will find this sufficient to establish traceability without more evidence tying the use of personal information to the hack.127See Hooker & Pill, supra note 13, at 36.
It is also unclear if courts will find traceability if the data breach was due to a third party not before the court.128See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992); see also In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (OPM), 928 F.3d 42 (D.C. Cir. 2019). This causes problems in employee-data-breach cases especially, as many employers use third-party services to store or collect employees’ personal information.129Finkin, supra note 62, at 355. Employees would likely prefer to sue their employer over a third party, as it may be easier to gather information from the employer (an entity much more well-known to the employees). An employer may also be better positioned to provide redress for its employees’ injuries stemming from a data breach, even if that data breach was due to a third party.
The last standing requirement is that a favorable judicial decision will redress the injury.130Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). It cannot be merely speculative that a favorable decision would provide redress; it must be at least “likely.”131Lujan, 504 U.S. at 561. It is difficult to show redressability when future risk is uncertain.132See Dowty, supra note 121, at 695. This is particularly true when a defendant-employer provides free credit monitoring services for a finite period after a breach. Even though a plaintiff may suffer harm beyond that period, courts may be unlikely to find that further judicial action is needed to redress the injury because it is too speculative whether an identity thief will use personal information after the services expire.133See Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011). Additionally, it is often uncertain how long the plaintiff must monitor his credit and other personal information.134Elizabeth T. Isaacs, Comment, Exposure Without Redress: A Proposed Remedial Tool for the Victims Who Were Set Aside, 67 Okla. L. Rev. 519, 542 (2015). The current legal scheme in data breach cases is neither uniform nor clear on what redress is available for plaintiffs beyond monetary damages.135See Hooker & Pill, supra note 13, at 38.
Without pleading enough facts to allege (1) injury in fact, (2) traceability or causation, and (3) redressability, a plaintiff does not meet the standing requirements and a federal court cannot hear her complaint. For employees in data breach litigation, pleading enough facts to meet these requirements is exceptionally difficult.136See Lorio, supra note 20, at 83–91. Case law in the data breach context focuses mainly on consumers and shareholders rather than employees, so few cases illuminate how employees can overcome these standing issues.137See Hooker & Pill, supranote 13, at 31. And there is great uncertainty in how courts will decide these cases in the future.138See id. Because employees have different considerations than consumers in this context, the myriad case law dealing with consumers in the aftermath of a data breach is not very helpful to employees.139See supra Part I.B.
C. The Circuit Courts Weigh In
The few circuit courts that have examined the issue of employer liability for risk of future identity theft have not agreed on whether employees have standing to sue their employer in this situation. The Ninth Circuit first addressed the issue in 2010 in Krottner v. Starbucks Corp.,140628 F.3d 1139 (9th Cir. 2010). where it held that employees’ risk of future identity theft was an injury in fact.141See id. at 1143. Shortly afterward, the Third Circuit, in Reilly v. Ceridian Corp.,142664 F.3d 38 (3d Cir. 2011). held that risk of future identity theft is too speculative of an injury for employees to meet the injury-in-fact standing requirement.143Id. at 46. Years later, the DC Circuit held in In re US Office of Personnel Management Data Security Breach Litigation144928 F.3d 42 (D.C. Cir. 2019). that employees suing for risk of future identity theft met all Article III standing requirements.145Id. at 75. Considering these cases is important when evaluating how courts should decide the issue in the future.
1. The Ninth Circuit: Krottner v. Starbucks Corp.
In October 2008, someone stole a laptop containing the unencrypted names, addresses, and Social Security numbers of approximately 97,000 employees from Starbucks Corporation.146Krottner, 628 F.3d at 1140. Less than a month later, Starbucks notified affected employees of the theft, stating there was “no indication that the private information [had] been misused,” and that Starbucks would provide credit monitoring services to affected employees for one year.147Id. at 1140–41. After receiving this letter, several plaintiff-employees sued Starbucks in federal court, alleging negligence and breach of implied contract.148Id. at 1141. Plaintiff-employees alleged various injuries, including needing to be “extra vigilant” in watching bank and 401(k) accounts and spending a “substantial amount of time doing so”; spending time placing fraud alerts on credit cards; and paying out-of-pocket costs for credit monitoring services after the one year of services Starbucks provided expired.149Id. In addition, one plaintiff-employee alleged that he had “generalized anxiety and stress regarding the situation.”150Id.
After the district court dismissed the claims, the plaintiffs appealed to the Ninth Circuit, where the court examined the employees’ standing.151Id. at 1141–42. It was undisputed that plaintiffs had sufficiently alleged traceability and redressability, but the Ninth Circuit independently reviewed the injury-in-fact standing requirement.152Krottner, 628 F.3d at 1141–42. The court approached the standing analysis in two ways. First, the court held that the plaintiff who alleged emotional injury—in this case “generalized anxiety and stress”—had standing because the Supreme Court previously held that a plaintiff alleging emotional harm after improper disclosure of his Social Security information suffered a sufficient injury in fact to confer standing.153Id. at 1142 (citing Doe v. Chao, 540 U.S. 614, 617–18, 624–25 (2004)). Second, the court examined standing as to the remaining plaintiffs, applying a rule lifted from environmental case law that if a plaintiff faces a “credible threat of harm” that is both “real and immediate, [and] not conjectural or hypothetical,” then the plaintiff has met the injury-in-fact standing requirement.154Id. This rule comes from environmental case law stating that plaintiffs need not wait for damage to occur when monetary damages may be insufficient to restore a plaintiff to his original position, as in the instance of species extinction. See, e.g., Cent. Delta Water Agency v. United States, 306 F.3d 938, 950 (9th Cir. 2002). It is fitting in the data-breach-litigation context, as once a person’s identity is stolen, there is no going back, and not all parts of a person’s identity can be restored with monetary damages. See Sato, supra note 8. The court applied that rule to the Starbucks employees, holding that they had a credible threat of real and immediate harm because the laptop contained their unencrypted data and was stolen—therefore, the injury was “not conjectural or hypothetical”—and so an injury in fact existed.155Krottner, 628 F.3d at 1143.
2. The Third Circuit: Reilly v. Ceridian Corp.
In 2009, Ceridian Corporation, a payroll processing firm, experienced a security breach when an unknown hacker infiltrated Ceridian’s systems and gained access to personal and financial information belonging to 27,000 employees at 1,900 companies.156Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011). This information included names, addresses, Social Security numbers, dates of birth, and bank account information.157Id. Ceridian notified potential victims of the breach and provided the affected individuals with one year of free credit monitoring.158Id. Importantly, it was not these potential victims of identity theft—employees of various companies—who gave their information to Ceridian, but the employer-companies.159See id.
Employees of a law firm using Ceridian’s services filed a complaint against Ceridian in federal court alleging injury from increased risk of identity theft.160Id. The court dismissed the complaint, holding that the plaintiffs lacked Article III standing.161Id. at 41. When reviewing an appeal of the dismissal, the Third Circuit asked: If the plaintiffs’ allegations in the complaint were true, did they allege facts sufficient to grant them standing?162Reilly, 664 F.3d at 41. The court’s answer was no.163Id. To the court, the plaintiffs’ allegations were hypothetical and speculative because they relied on the theory that the hacker: “(1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of [plaintiffs] by making unauthorized transactions in [plaintiffs’] names”164Id. at 42.—something the plaintiffs did not have sufficient evidence to prove. The court continued: “[U]nless and until these conjectures come true, [plaintiffs] have not suffered any injury; there has been no misuse of the information, and thus, no harm.”165Id. Despite the fact that the court needed to examine the question as if the plaintiffs’ allegations in the complaint were true, ultimately, the court held that the employees did not plead sufficient facts to show standing because any costs expended to “watch for a speculative chain of future events based on hypothetical future criminal acts” did not, to the court, represent an actual injury.166Id. at 46.
3. The DC Circuit: In re US Office of Personnel Management Data Security Breach Litigation
In 2014, hackers breached multiple US Office of Personnel Management (“OPM”) databases, allegedly stealing personal information and affecting more than twenty-one million people.167In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (OPM), 928 F.3d 42, 49 (D.C. Cir. 2019). The personal information included birth dates, Social Security numbers, addresses, fingerprint records, and other background check information.168Id. This massive data breach led to several lawsuits, which were ultimately consolidated into two complaints from the National Treasury Employees Union (“NTEU”) and the American Federation of Government Employees (“AFGE”).169Id.
To access employees’ information, hackers stole login credentials for KeyPoint Government Solutions, Inc., a firm that handles a majority of OPM’s background investigation fieldwork.170Id. at 50. After the breach, OPM offered affected individuals theft protection services and insurance at no cost for either eighteen months or three years, depending on whether the hacker stole their Social Security number.171Id. These offerings, however, failed to address the concerns of all parties.172Id. From 2007 to 2014, OPM was aware that its security system was deficient in several ways and that there were “material weaknesses” in the agency’s information security governance system.173OPM, 928 F.3d at 51. When the data breach occurred, OPM lacked a centralized network security system to continuously monitor all system threats.174Id. at 52.
The plaintiffs asserted a variety of claims against OPM.175Id. at 52–53. The plaintiffs emphasized that when they provided OPM with the sensitive personal information that was ultimately exposed in the breaches, they did so with the agency’s assurance that this information “would be safeguarded and kept confidential.”176Id. at 52. The AFGE plaintiffs alleged that OPM failed to establish appropriate safeguards to protect their information as promised,177Id. and sought monetary damages and an order requiring OPM to extend free lifetime identity theft and fraud protection services to employees affected by the breach.178Id. The NTEU plaintiffs sought a declaration that OPM’s failure to protect their information violated a constitutional right to privacy.179OPM, 928 F.3d at 53. The district court granted OPM’s motions to dismiss both sets of claims for lack of standing.180Id.
The DC Circuit reversed the district court in part, holding that both sets of plaintiffs alleged facts sufficient to satisfy Article III standing requirements.181Id. The court first examined the NTEU plaintiffs’ claims and assumed for standing purposes, as alleged in their complaint, that their “constitutional right to informational privacy” was violated.182Id. at 54 (citing Estate of Boyland v. U.S. Dep’t of Agric., 913 F.3d 117, 123 (D.C. Cir. 2019) (“[W]hen considering whether a plaintiff has Article III standing, a federal court must assume, arguendo, the merits of his or her legal claim.”)). The court held that “the loss of a constitutionally protected privacy interest . . . would qualify as a concrete, particularized, and actual injury in fact.”183Id. at 55. In addition, the NTEU plaintiffs alleged that a “substantial risk” remained that their personal information would be stolen from OPM in the future, which the district court also held to be an imminent injury in fact.184Id. at 54–55.
The AFGE plaintiffs alleged no constitutional injury, but did allege a variety of future data-breach related harms.185OPM, 928 F.3d at 55. The court held that these plaintiffs suffered an injury in fact because they faced an ongoing and substantial risk of identity theft.186Id. at 55–56. This was because Social Security numbers and addresses, unlike credit card numbers, could not be easily changed.187Id. at 56. The court added that “our birth dates and fingerprints are with us forever.”188Id. While some of the plaintiffs noted that unauthorized charges appeared on their credit card and bank account statements since the breaches, the court indicated that an injury in fact existed even without these charges.189Id. Other forms of fraud, the court stated, like “opening of new accounts and the filing of fraudulent tax returns[,] may be accomplished using the information stolen during the breaches at issue.”190Id.
The court also distinguished this case from Reilly by remarking that both sets of plaintiffs in this case alleged more in their complaints than the Reilly plaintiffs.191OPM, 928 F.3d at 58–59. Here, plaintiffs alleged that the hackers intentionally targeted their information, whereas the plaintiffs in Reilly did not allege that the hacker read, copied, or understood any personal data.192Id. Further, the court indicated that while the threat of identity theft fades over time, the passage of time here—less than two years between the breach and the filing of the complaint—was not enough “to render the threat of future harm insubstantial.”193Id. at 59.
Thus, the court found that both the NTEU and AFGE plaintiffs pled sufficient facts to show an injury in fact.194Id. The court also found that both sets of plaintiffs alleged facts sufficient to show causation, as the plaintiffs alleged that OPM’s failure to secure its information systems and KeyPoint’s failure to secure its login credentials were substantial factors in causing the breaches.195Id. at 60. Finally, the court held that both sets of plaintiffs showed a redressable injury.196Id. at 55, 61. The monetary damages that the AFGE plaintiffs sought could redress any proven injury related to the risk of identity theft.197OPM, 928 F.3d at 61. The NTEU plaintiffs’ injuries were redressable either by a declaration that OPM’s failure to protect its employees’ information was unconstitutional or by an order requiring OPM to correct its security deficiencies.198Id. at 55. Therefore, the DC Circuit held that both sets of plaintiffs pled sufficient facts to meet Article III standing requirements and could bring their claims based on risk of future identity theft.199Id. at 75.
Despite the DC and Ninth Circuits’ decisions affirming that employees had standing, the Third Circuit’s decision obscures when employees can sue to recover for risk of future identity theft. While both the DC the Ninth Circuits held that employees pleaded sufficient facts in their complaints to allege an injury in fact, the Third Circuit considered employees’ allegations too speculative. Each case’s outcome depended on the facts pleaded in the complaint, and so the next Part will discuss what employee-plaintiffs must plead in their complaint to successfully meet standing requirements.
III. Removing Employers’ Liability Shield in Data Breach Cases
The existing division in the circuit courts makes it unclear whether courts will hold that employees have standing to sue their employer for risk of future identity theft after a data breach, providing employers with a liability shield in many of these cases. Clarity is essential and attainable with a consistent rule: employees have standing to sue their employer for risk of future identity theft when they allege certain facts in their complaint to show they have suffered an injury in fact that is traceable to their employer and redressable with a favorable court decision. To remove employers’ liability shields more completely in data breach cases, Congress and state legislatures must enact comprehensive consumer data privacy legislation that does not expressly exclude employer information from its protected data.
A. What Employees Must Plead to Have Standing to Sue
All courts should take the position of the Ninth and DC Circuits and find that employees have standing to sue their employer if they allege enough in their complaint to meet all three Article III standing requirements—injury in fact, traceability or causation, and redressability—when suing their employer for risk of future identity theft.
1. Meeting the Injury-in-Fact Requirement
First, employees must sufficiently plead that they have suffered an injury in fact. In Krottner, Reilly, and OPM, the courts held that to prove an injury in fact, employees must allege that a hacker stole and intentionally accessed their personal information.200See id. at 60–61; Reilly v. Ceridian Corp., 664 F.3d 38, 40, 46 (3d Cir. 2011); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010). In Krottner, the employees met this standard, as they indicated in their complaint that a thief stole the laptop containing employee information.201Krottner, 628 F.3d at 1143. The court held that the injury was actual and not conjectural.202Id. In OPM, the employees alleged that the hackers intentionally targeted their information.203OPM, 928 F.3d at 58–59. In contrast, the employees in Reilly failed to plead enough facts to specifically show that a hacker stole and accessed their information, so the court held that these employees did not have standing.204Reilly, 664 F.3d at 42.
Additionally, the Third and DC Circuits held that the information stolen must be the type that can be used to make unauthorized transactions or to open accounts.205See OPM, 928 F.3d at 56; Reilly, 664 F.3d at 43. In OPM,plaintiffs noted in the complaint that the hacker obtained employees’ addresses, Social Security numbers, fingerprint records, and birth dates, which the court said could be used to open accounts.206See OPM, 928 F.3d at 49. Therefore, to sufficiently claim an injury in fact, employees must allege that a hacker stole personal information of the type that he could use for unauthorized transactions. These employees need not plead that the hacker obtained all the same types of information for each victim.
While the Third Circuit required that employees allege that the hacker intended to commit future criminal acts,207Reilly, 664 F.3d at 42. this requirement is not necessary to claim an injury in fact. Courts should follow the Ninth Circuit on this point—plaintiffs do not need to plead intent208See generally Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010).—because it would be nearly impossible for employees to gather evidence to show a hacker’s intent when suing for risk of future identity theft. It is unreasonable to think employees can find a hacker and determine his intent on their own.209Karlsgodt, supra note 10. Requiring this evidence would likely preclude employees from suing in almost every situation.
In addition, the Ninth Circuit held in Krottner that a plaintiff meets the first standing requirement by alleging “generalized injury and stress” as a result of worrying about future identity theft after the data breach.210Krottner, 628 F.3d at 1141–42. This follows the Supreme Court’s previous suggestion that similar emotional harm was sufficient to meet the standing requirement in a case where improper disclosure of Social Security information was at issue.211Id.(citing Doe v. Chao, 540 U.S. 614, 617–18, 624 (2004) (holding that the plaintiff had an injury in fact because he alleged that he “was ‘torn . . . all to pieces’ and ‘greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences”)). While courts should find that an employee who alleges specific emotional harm has standing to sue, employees should only allege this harm if it is redressable, which is necessary to overcome the third standing requirement.
Importantly, the DC Circuit discussed time’s effect on the ability to meet the injury-in-fact requirement. For an employee to plead an injury in fact, they must show that the injury is actual or imminent.212Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). The DC Circuit indicated that while the threat of identity theft after a data breach decreases over time, the threat of future harm may not be improbable enough to impede finding an injury in fact.213In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (OPM), 928 F.3d 42, 59 (D.C. Cir. 2019). The court held that two years between the data breach and filing suit did not hinder the employees from alleging a sufficient injury in fact.214Id. Consequently, a two-year lapse in time between the data breach and the start of a lawsuit alleging injury from risk of future identity theft should not preclude finding an imminent injury, and courts should allow a longer lapse in time to suffice if plaintiff-employees can also show causation after a longer gap.215For example, in the Coca-Cola incident, an employee stole laptops over a six-year period. See supra notes 88–91 and accompanying text. If the first victims were to sue, they should be able to recover and not be limited by the six-year time lapse.
The Third Circuit, with its strict approach to standing, required employees to show that they had already suffered actual identity theft to sufficiently plead an injury in fact.216Reilly v. Ceridian Corp., 664 F.3d 38, 40, 46 (3d Cir. 2011). Both the Ninth and DC Circuits rejected this view, and other courts should as well, because the harms suffered from past identity theft and risk of future identity theft are dissimilar.217OPM, 928 F.3d at 59; Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). While it strengthens the employees’ position to allege that identity theft has already occurred—because it proves a hacker has accessed information that can be used to commit future identity theft—it should not be required, as victims suffering from a risk of future identity theft must expend separate resources to protect their personal information from possible misuse. Just because a hacker has not already used someone’s information to engage in unauthorized transactions does not mean he will not do so in the future.218See OPM, 928 F.3d at 59.
In sum, to successfully show an injury in fact, employees must allege that a hacker accessed and stole their information, and that the information is the type that the hacker can use for unauthorized transactions or to open accounts. A lengthy time between the data breach and when employees file suit should not preclude the employees from sufficiently alleging an imminent injury in fact. An employee need not have already suffered identity theft to meet the injury-in-fact requirement.
2. Meeting the Traceability or Causation Requirement
Second, employees must allege enough facts to show that their employer caused the data breach or that the data breach is traceable to the employer’s actions. In the consumer context, if a company provides notice of a data breach, this requirement is automatically satisfied.219See Dowty, supra note 121, at 694 (stating that the causation requirement is automatically satisfied where a business admits customer information has been exposed by sending a notification of data breach). This should apply in the employment context as well, because when an employer notifies their employees that it experienced a data breach and employee information was stolen, the employer is essentially acknowledging that its security was too lax to protect employee data.
If an employer does not notify its employees of a data breach, employees may also meet the second standing requirement if they underscore the employer’s specific security failures. In OPM, employees met this requirement by alleging that OPM failed to secure its information systems and that KeyPoint failed to secure its login credentials.220OPM, 928 F.3d at 60. If employees allege similar facts by stating that their employer failed to secure its systems or login credentials, a court should hold that the employees have met the standing requirement. Similarly, employees could allege facts showing their employer had other security breakdowns or failed to follow proper procedures when maintaining its security infrastructure or handling personal information.
Both employers and third-party companies that employers use to store, process, and collect employee data should be treated the same in this context. Employees have little say over which third parties employers hire and what information employers hand over to these third parties for information storing and processing.221See Finkin, supra note 62, at 407–08. Additionally, had the employer not chosen the specific third party to handle sensitive information, the third party’s security failure would not have led to the theft of employee information. Therefore, the theft is traceable to the employer. In OPM, the DC Circuit treated OPM as the main defendant responsible for a security breach even though KeyPoint, the third party handling OPM’s employees’ information, substantially caused the breach.222See OPM, 928 F.3d at 60. Other courts should follow the DC Circuit’s approach, which directs that when an employer uses a third party to handle or collect its employees’ information and the third party then suffers a data breach, employees’ injuries are fairly traceable to the employer and not only to the third party.
Consequently, employees meet the second Article III standing requirement of traceability or causation if they show that their employer gave notice of the breach or if they can plead facts showing that their employer’s security failure may have led to the breach. Employees may trace their injuries from a third-party data breach to their employer if an employer hired that party to handle the employees’ personal data.
3. Meeting the Redressability Requirement
Third and finally, employees must show that their injury is redressable. Alleging that monetary damages will redress an injury is the easiest way to meet this requirement. While this may be tricky if an employer provided some free credit monitoring services to its employees after the data breach, the DC Circuit held that employees who received credit monitoring services could seek further monetary damages.223Id. at 61. For example, employees may allege that they will need to pay for credit or identity theft monitoring services beyond the time the employer pays for these services. Other possible monetary damages may include money spent changing information to prevent against future identity theft or lost wages from time spent changing personal information.224See Sato, supra note 8.
As far as redress available beyond monetary damages, some employees in OPM successfully showed redressability when they alleged that OPM’s failure to protect their information violated a constitutional right to privacy.225OPM, 928 F.3d at 53–55. The court held that these plaintiffs’ injuries were redressable because a declaration that the employer’s failure to protect information from risk of future identity theft was unconstitutional or an order requiring the employer to correct its security deficiencies could provide remedy.226Id. at 54–55. The court, in completing its standing analysis, assumed that the NTEU plaintiffs did suffer their claimed constitutional injury, because when considering whether a plaintiff has standing, a court must assume the merits of the plaintiff’s legal claim. Whether the constitutional right that these plaintiffs alleged was violated exists was not decided in relation to the standing issue. Employees in other cases may want to assert a violation of a constitutional right to privacy if a plausible constitutional violation exists. This is especially true as employers are collecting larger amounts of personal information in increasingly invasive ways, like through RFID technology, which allows employers to track employee health and movement—not always with employees’ knowledge.227See Gallo, supra note 66. A declaration that an employer’s failure to protect information (or perhaps that an employer’s method of data collection) was unconstitutional can provide strong incentive for the employer to improve data-security practices moving forward or to collect employee data using less invasive means. Similarly, employees would be wise to seek an order requiring the employer to correct any security deficiencies, regardless of whether the employees remain with the company—as companies retain previous employees’ information for several years228Complying with Employment Record Requirements, supra note 63.—because this redress may help to protect against future data breaches.229See OPM, 928 F.3d at 65. In fact, if employees allege specific facts to show that their employer has deficient security, they can show both traceability and redressability.
Thus, employees meet the third standing requirement, redressability, if monetary damages or an order to correct security deficiencies can redress employees’ injuries. While an order requiring an employer to correct security deficiencies may not entirely alleviate the risk of future identity theft or mitigate expenses employees incur while protecting their data, it can help mitigate the risk of future data breaches.
In summary, employees should have standing to sue their employer for risk of future identity theft if in their complaint they: (1) allege that a hacker or other identity thief accessed and stole personal information that can be used for unauthorized transactions; (2) can plead facts showing an employer’s or a third party’s security failure led to the breach or that their employer or a third party gave notice of the breach; and (3) show that monetary damages or an order requiring the employer to correct security deficiencies could redress their injuries. This rule not only synthesizes the approaches of the Ninth, Third, and DC Circuits but also provides a clear, uniform standard. This rule is specific enough to guide employees who wish to sue for risk of future identity theft, and broad enough to cover a wide array of circumstances.
B. Evaluating the Proposed Rule in Practice
Testing this rule demonstrates how it will help employees recover losses from the risk of future identity theft after their employer experiences a data breach. Following a breach, employees may be fearful and may spend significant time and money to protect their financial health and personal information. This rule allows employees to recover for these injuries in a variety of situations. Consider A, an employee of and manager for the hypothetical company, LHS Clothing, a mid-size clothing retailer with 500 employees that is incorporated in California. In 2015, when A applied to LHS Clothing, she provided her employer with her address, phone number, Social Security number, bank account information for direct deposit, and a copy of her driver’s license when completing her employee onboarding documents, as well as a resume as part of her job application. Further, A consented to a third-party background check at that time in the hopes that a favorable report would help her in her future pursuits of the coveted Vice President position. LHS Clothing stored this information in a premises-based system, which five human resources employees could access from the company’s head office, in addition to two managers in each of LHS Clothing’s 500 retail stores.
Now, imagine LHS Clothing suffered a data breach, and the data thief may have accessed A’s personal data as part of the breach. A’s mother, B, had her personal information stolen in a separate incident by a hacker who opened a credit card in her name—leaving B with $50,000 in debt that is not hers, a situation that has cost her over seventy-five hours so far to try and resolve with much frustration and little success. A is terrified that the same will happen to her. To attempt to mitigate the situation, A enrolls in credit monitoring for five years, which costs her $1,200.230See LifeLock, https://perma.cc/LS25-Y83H (advertising that the most basic, standard identity protection program from this company costs about $100 for the first year, then $125 per year thereafter ($600 for five years), while the most protective program costs $300 for the first year, then $350 per year thereafter ($1,700 for five years), with other protection options available in between). Out of an abundance of caution, A orders copies of her credit reports to check if there are any fraudulent or inaccurate listings on the report. She also closes the bank account she provided to LHS Clothing for direct deposit, opening a new one and switching over all her automatic payments and deposits to this new account. As her driver’s license was in her employee file, she also wants to go to the DMV to obtain a replacement license. Finally, she wants to change her cell phone number to avoid an increase in spam calls, so she also needs to plan a trip to visit her wireless carrier’s store. For all of this, A needs to take time off work; she is out of vacation days, after taking a trip with B, so she will have to take at least one day of unpaid leave. Under the proposed rule, A will likely be able to recover her damages (money spent on credit monitoring and lost wages), regardless of whether the data breach was due to an outside hacker, a mistake by the third party who completed A’s background check, or one of LHS Clothing’s disgruntled employees.
1. When an Employer Experiences an Electronic Data Breach
First, we will examine A’s ability to recover against LHS Clothing if a hacker caused the data breach by breaking into LHS Clothing’s premises-based human resources system. Let’s say the hacker first accessed the data in 2017 but the breach was not discovered until 2020, when LHS Clothing hired an IT-security professional to help upgrade its system. The hacker had access to and stole employees’ unencrypted personal, medical, and financial information.231See Wright, supra note 73. However, LHS Clothing is unsure exactly how many employees were affected. LHS Clothing sent out a notice of the breach to all its employees. Under the proposed rule, A will likely have standing to sue LHS Clothing.
A will first need to show that her risk of future identity theft is an injury in fact by pleading in her complaint that a person stole her information, and that the stolen information is the type that an identity thief can use for unauthorized transactions. This will be easy to do if LHS Clothing’s notice about the breach indicated that the hacker stole information and disclosed the type of information stolen, or if A is able to discuss the breach with the IT professional who discovered the hack to determine this information. If A experienced any identity theft after the breach, this could also show an injury and fact. If not, A may be unable to meet the first injury in fact standing requirement, and without a statute providing for a private cause of action in this situation, A would be out of luck. Nevertheless, assuming A can meet this first standing requirement, A would next need to show that her injury is traceable to her employer.
In general, to show that an employer caused the risk of future identity theft or that the risk is traceable to the employer, employees must either show that their employer gave notice of the breach or plead facts showing their employer’s security failure led to the breach. In this instance, LHS Clothing notified its employees that a breach occurred, so the requirement is met. A can also allege that storing important employee information in an easily accessible, unencrypted format and failing to use a more secure system or encrypt the information is a security failure on the part of LHS Clothing that led to the breach to further bolster her causation claim.
Next, employees must show their injury is redressable, either by monetary damages or with an order requiring the employer to correct security deficiencies. Here, because LHS Clothing did not provide its employees with free credit monitoring services after the breach, this requirement is easily met. A can prove that she will need to pay for credit and information monitoring services to protect herself from future identity theft—A has her $1,200 credit-monitoring bill—so monetary damages will redress her injuries. If LHS Clothing had provided monitoring services, A would need to allege that she will need monitoring services for longer than provided to adequately protect her identity. Additionally, A may allege that an order requiring LHS Clothing to correct its security deficiencies and strengthen security practices would help employees avoid future identity theft by lessening the risk of future data breaches at the company.
In this situation, where an employer stores unencrypted data in its system and a hacker steals the data, an employee will have standing to sue her employer for risk of future identity theft by following the proposed rule.
2. When a Third Party Experiences an Electronic Data Breach
In both Reilly and OPM, hackers breached third-party systems.232OPM, 928 F.3d at 50; Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011). In these cases, employers hired third parties to handle employees’ data.233OPM, 928 F.3d at 50; Reilly, 664 F.3d at 40. The Third Circuit in Reilly held that employees did not meet the standing requirements, yet the DC Circuit in OPM held that employees did have standing to sue.234OPM, 928 F.3d at 75; Reilly, 664 F.3d at 46. Employees in both cases would have standing under the proposed rule. The rule applies to employees who experience information theft due to a third-party data breach in the same way it covers employees who experience information theft because of a data breach to their employer’s systems directly. When a hacker breaches a third party’s system, he has access to employees’ personal information, whether an employer uses the third party for data storage or for another particular purpose—for example, to conduct background investigations. This access means employees suffer risk of future identity theft for which they can sue if they have standing.
Returning to A’s unfortunate situation, recall that she consented to a third-party background check when applying with LHS Clothing. Imagine that this third party experienced a data breach instead of LHS Clothing. Under the proposed rule, A would have standing to sue in this situation as well, if she can allege that someone accessed or stole information of the type that an identity thief can use for unauthorized transactions. Like the previous scenario, A can meet this requirement if she has suffered identity theft following the data breach. If this has not yet occurred, A will need to work with security professionals and the third party to determine if an identity thief accessed information of the type that can be used for unauthorized transactions. If she is unable to do this at the pleadings stage, she may be unable to allege sufficient facts to meet this standing requirement.
In addition, A must meet the traceability requirement. Third parties may choose to notify their clients (the employers) or directly notify the affected individuals of the breach. If the third party provided notice of the breach in A’s case, then she can easily meet this requirement. If the third party did not provide notice, A must find another way to show that the third party’s security failure led to the breach. The security failure could be a range of things, including not adequately protecting login credentials, like in OPM,235OPM, 928 F.3d at 50. or not having an adequately protected system.236Wright, supra note 73. A may also allege that LHS Clothing did not investigate the third party’s security protocols thoroughly enough, and thus the breach is traceable to their employer.
A next must show that she has a redressable injury, which can be done in the exact same manner as the previous example. A will show the need for credit and information monitoring services, whether in total or beyond what the third party or employer will provide. Unlike when the breach was to LHS Clothing’s system, however, a court order to correct LHS Clothing’s security deficiencies would not redress the injury in this case. This is because A is not suing the third party who has security deficiencies but is suing LHS Clothing. Yet, as A can claim monetary damages in this scenario, she will meet the third and final standing requirement and be able to sue LHS Clothing for risk of future identity theft if LHS Clothing’s third-party background-check provider is hacked.
3. When an Employer Experiences a Physical Data Breach
In Krottner, the Ninth Circuit held that employees had standing to sue their employer for risk of future identity theft when a thief stole a laptop containing employees’ personal information.237Krottner v. Starbucks Corp., 628 F.3d 1139, 1140 (9th Cir. 2010). This data breach did not come from a hacker’s access to electronic data but from a thief physically seizing the source of the data. In A’s case, envision a disgruntled store manager downloading employee information off LHS Clothing’s system onto a hard drive and taking it home, which is similar to what happened to Coca-Cola.238See supra notes 88–91 and accompanying text. While the proposed rule covers employees who are victims of this type of data breach, it may be more difficult to meet the first requirement in this situation—sufficiently pleading that the identity thief accessed and stole personal information that can be used for unauthorized transactions.
First, A will need to show that she suffered an injury in fact. To do so, she must allege that someone accessed or stole information of the type that an identity thief could use to make unauthorized transactions. How can A know that the information on the hard drive is the type that can be used for unauthorized transactions at this stage of the pleadings? Without more information, which she likely would not be privy to until discovery, she can’t. So, in cases like this, using the proposed rule to meet standing requirements is more difficult but not impossible. First, if A knows that the hard drive contained information that the thief could potentially use to make unauthorized transactions, she should include the facts giving rise to this knowledge in the complaint to meet this standing requirement (for example, say A overheard the disgruntled employee disclose that she stole Social Security numbers or A is able to access the computer and see what types of data could be moved from the system onto a hard drive). Second, as in previous scenarios, if A suffered identity theft after the data breach, she can allege that her information was stolen in the breach and is the type that can be used for unauthorized transactions, so the risk of future identity theft is an injury in fact stemming from the hard drive.
Next, A must allege traceability, by either showing that LHS Clothing notified employees of the breach or that LHS Clothing’s security failure led to the breach. If LHS Clothing did not give notice, A can still show that a security failure led to the breach—it is reasonable to infer that a lack of proper security procedures could lead to a person taking a physical source of personal employee information for unauthorized and improper use. This action, at minimum, shows that the employer has not instituted proper data-security training for its employees. Consequently, an employee could easily allege traceability in this context.
Third, as before, A needs to allege monetary damages from credit and information monitoring services or the need for a court order to show her injury is redressable. A court order requiring LHS Clothing to correct security deficiencies would protect employees from future data breaches of this sort, as LHS Clothing clearly needs to improve its information security and institute proper training to better protect its data from employee misuse. Under the proposed rule, employees who suffer a risk of future identity theft after a thief has stolen a physical source of personal employee data can sue their employer to recover from this injury.
When an employer or third party experiences an electronic or physical data breach, the proposed rule provides clear and uniform guidance to help employees determine what they must plead to have standing to sue their employer. This rule is much clearer than the existing precedent and would greatly benefit plaintiff-employees who currently lack a remedy when their data is stolen. However, the proposed rule is not a perfect solution, as there are many instances where plaintiff-employees do not have the exact evidence they need at the pleadings stage of litigation to meet the standing requirements necessary to recover for their injuries. In A’s situation, if she were unable to gather enough evidence to meet one of the standing requirements, she would be unable to recover and forced to incur all the costs to protect against future identity theft. The current statutory framework would not help her, as there is no federal statute covering this sort of data, and, while LHS Clothing is a California company, the CCPA was not in effect during these breaches so would be of no use to A.239See supra notes 46–47 and accompanying text. Even if the CCPA was in effect at the time, the Act does not currently protect employee data—and will not any time soon—so would not have helped A recover her costs.240See supra notes 51–54 and accompanying text. Therefore, a new statutory supplement is also required.
C. Employee Protection Statutes
Both Congress and state legislatures need to pass legislation that will create a stronger employee data protection framework, so that employees like A are not left to fend for themselves when they do not have standing to sue (for instance, in situations where the company does not provide a breach notice to employees who do not have enough evidence to show traceability or causation in another manner, or where a breach notice fails to mention whether or not the information stolen was the type that an identity thief can use to open unauthorized accounts, keeping employees from showing an injury in fact, among many other possibilities). To do so, these legislative bodies should enact comprehensive data protection legislation that expressly includes employee data and provides a private right of action for both consumers and employees. Legislation using similar language to that in the CCPA, which allows consumers to sue businesses who “violat[e] . . . the duty to implement and maintain reasonable security procedures and practices,” would help achieve this goal.241Cal. Civ. Code § 1798.150(a)(1) (West 2021); see also Mark Smith, Analysis: Unlocking the CCPA’s Private Cause of Action, Bloomberg L. (May 11, 2020, 5:50 AM), https://perma.cc/X7GH-XQL2. Any legislation should also include a definition of or set out a standard for reasonable employer security procedures, including requirements like: encrypted data; routine network security checks; special procedures for safeguarding physical documents and other physical information sources that employees have access to; and password security management.242See Ronald Sarian, What Are “Reasonable Security Procedures” Under the CA Consumer Privacy Act?, JD Supra (Jan. 16, 2020), https://perma.cc/7YHS-EV4J. Ideally, this legislation would also require employee consent to data collection in all instances, and would allow employees to use a private right of action to sue when employers collect data without consent or when consent is coerced or given under threat of retribution. Finally, any enacted legislation should set statutory damages to simplify legal proceedings for employees and to provide notice to employers of what their liability for data violations may be.243See Geoffrey S. Stewart & Miriam S. Weiler, Emerging Issues in Statutory Damages, Jones Day(July 2011), https://perma.cc/VY47-Z8GR. Statutory damages may encourage employers to settle with employees or even encourage them to provide each employee in the wake of a data breach with a payment in the range of the statutory damages that the employer would be liable for in litigation, keeping the matter out of the courts altogether. This would provide employees with faster payouts and minimize their legal costs,244Thyberg, supra note 24. lessening the financial harm employees endure after their employer suffers a data breach.
It is worth mentioning that the EU already provides EU employees with greater data protection in its General Data Protection Regulation (“GDPR”), which covers employee data and provides employees with a private right of action.245See Sara H. Jodka, The GDPR Covers Employee/HR Data and It’s Tricky, Tricky (Tricky) Tricky: What HR Needs to Know, Dickinson Wright (April 2018), https://perma.cc/S2PL-T7CY. Not only does the GDPR require employers to protect employees’ personal data, but it also provides employees with special rights to access their data, to object to their data being processed for certain uses, and to have their data be erased.246Data Protection in the Workplace, Citizens Info. (Sept. 29, 2020), https://perma.cc/5LMT-33P4. Although the GDPR does not contain any specific statutory damages, it does allow EU member states to set their own.247See Council Regulation 2016/679, art. 84, 2016 O.J. (L 119) 1, 83. While there are numerous articles and debates about the GDPR, a topic that is well beyond this Comment’s scope, it is clear that the GDPR better protects employee data than any current US federal or state legislation.
Currently, employees have no clear way to recover financial losses incurred to protect themselves from future identity theft—money spent to protect their personal information and lost wages from time spent changing personal information instead of working—after their employer suffers a data breach. It is unclear whether employees have standing to sue in these situations, as there is a stark disagreement in some of the circuit courts. The division between the Third Circuit’s strict approach and the Ninth and DC Circuits’ more flexible approach creates uncertainty for employees. A clear, uniform rule is essential to explain what employees must allege to successfully meet the Article III standing requirements. To help protect employees who cannot meet these requirements, even with a clear rule, federal and state legislatures must enact comprehensive data-protection statutes that protect employees and are not just for consumers. With a clear rule and protective statutes—whether employees sue, or employers opt to resolve matters out of court to avoid clear losses—employees will be able to adequately recover their damages and will no longer be forced to pay for their employer’s mistakes or inadequate data security.