After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board. The Union alleges that the Postal Service should have bargained with the union over the impact of the security breach. (Regarding impact, the Postal Service reportedly is offering employees a one-year of free credit monitoring through Equifax, but the union believes the Postal Service did not have the legal right to decide to offer the Equifax subscription without first offering to Bargain with the union.)
While none of the data breach notification statutes include an employee’s labor union as one of the parties entitled to notice of a breach, the APWU is making the argument that the National Labor Relations Act required the Postal Service to let it be involved in the discussions on how to address the breach and the negative consequences on employees. APWU President Mark Dimondstein acknowledged receiving a call from Postmaster General Patrick Donahoe concerning the breach, but apparently wanted to be more involved.
A primary purpose of most if not all data breach notification laws is to provide the required notice to individuals affected by the breach so they can take appropriate steps to protect their information and identity. All of the state data breach notification laws and HIPAA generally require notification be provided without unreasonable delay. Some laws provide an outside date by which notice must be provided – e.g., not more than 30, 45 or 60 days following discovery. But the rule is to provide notice as soon as possible, without unreasonable delay.
When a breach is discovered there are many steps companies must go through to be in a position to respond without unreasonable delay, a time frame that is not clearly defined and is influenced by a variety of circumstances. For instance, among many other steps, companies must immediately investigate the nature and scope of the incident which can involve a significant amount of forensics and research, stop the breach if it is continuing, determine who was affected, understand the applicable legal and compliance requirements, coordinate with law enforcement and state Attorneys General, as applicable, gather up to date contact information to the extent available, and coordinate with vendors regarding mailing letters, credit monitoring and other services for affected persons. Entering into negotiations with one or more representative unions about responding to such an incident before the notifications go out likely would be an involved process that would further delay the notice to affected persons.
However, depending on how the NLRB charge turns out, employers may have to interact more closely with their employees’ union representatives when employee personal information may have been breached. Of course, employers should expect that, as here, the union may make further the inquiry into the company’s data privacy and security practices in an effort to protect its members and seek additional leverage in negotiations. For these reasons, companies need to revisit (develop if they have not already) their data breach response plans and consider additional steps they might want to take, if any, to involve the union. Additionally, companies should take steps to ensure that employee personal data is safeguarded in accordance with applicable law and best practices.