As discussed in an earlier post, shortly after the United States Postal Service reported a data breach potentially affecting hundreds of thousands of employees, the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board alleging the Postal Service should have bargained with the union over the impact and response to the security breach. That ULP has led to a complaint filed by the NLRB Regional Director for Region 5 in Baltimore, Maryland, claiming that the Postal Service was wrong for not bargaining with the Union as requested.
It remains to be seen whether the Postal Service had a duty to bargain with the Union under the circumstances in this case. As we discussed earlier, however, entering into negotiations with one or more representative unions about the nature and extent of the response to such an incident likely would be an involved process, undoubtedly delaying notice to affected persons, along with the kinds of monitoring and other services typically provided to affected members and intended to help safeguard them from harm. Such a delay is precisely counter to a key purpose of all of the breach notification laws – provide speedy notice. So what is a company to do that has workers represented by a union?
Businesses are beginning to see that data breaches are a real threat, and can affect any organization, large or small. Purchases of cyber insurance are up, and companies are beginning to take steps to be prepared. For example, many are vetting their policies and procedures to make sure they understand and have reasonably addressed their risks and vulnerabilities in order to minimize a breach in the first place. In addition to addressing risk through insurance, some companies will undergo “tabletop” exercises, a helpful tool that typically involves gathering key members of management together to run through various data breach scenarios and assess how prepared they really are.
Businesses with employees represented by unions have an additional challenge – is it better to risk a claim for undue delay in breach notification and mitigation by an employee or federal or state enforcement agency on account of union negotiations, or a charge by the union representing the employees that the company did not bargain with the union about the response. In addition to the steps referenced in the paragraph above, these businesses may want to consider including data breach response and related benefits as part of their overall labor relations strategies. That is, where possible, reach some agreement ahead of time with the union on how the company will respond to a breach in the event one occurs, and incorporate that agreement into the company’s data breach response planning. This will help the company be in a position to respond timely under the applicable breach notification law(s), and hopefully avoid confrontation with the union.