A data breach occurs in which an outside individual obtains your company’s employees’ W-2 forms including social security numbers, addresses, and salary information. As a result, your company notifies all affected employees, explains what occurred, and offers a complimentary two-year membership to a service that helps detect misuse of personal information. Is your company liable for negligence and breach of contract?
The answer may be, “yes,” according to a federal district court in Kentucky. Savidge v. Pharm-Save, Inc. (W.D. Ky. Dec. 1, 2017). In Savidge, the plaintiffs alleged various state law claims that their former employer was liable due to the theft of their personally identifiable information (“PII”). With regard to one plaintiff, the data breach resulted in a false tax return being filed on her behalf.
The company moved to dismiss the claims. In denying dismissal of the negligence claim, the court concluded that because Plaintiffs’ information was released to unauthorized individuals, the company breached its duty to “safeguard that information.” Further, the court found there were sufficient allegations of injury based on Plaintiffs’ alleged purchase of credit monitoring and identity theft protection services as well as expenses incurred in responding to the fraudulent tax return. Finally, the court held that Plaintiffs sufficiently alleged causation simply by alleging a nexus between the data breach and fraudulent activity that took place.
In addition, the court declined to dismiss Plaintiffs’ implied breach of contract claim. The complaint alleged that Plaintiffs provided their W-2 information to the company so the company could verify their identities, provide them with compensation, and to provide the company with complete records for tax purposes. According to Plaintiffs, the company implicitly promised they would take adequate measures to protect their personal information and the company breached that obligation through the release of their PII. According to the court, the allegations were sufficient to draw an inference that the company impliedly promised to protect their employees’ PII. Therefore, this claim also was permitted to proceed.
With a patchwork of federal laws governing various aspects of data breach liability, it is important for all those possessing PII to understand the extent of exposure under state law as well. Failure to take reasonable steps to protect such information is likely to result in liability. The trend toward greater protection of PII is only growing, and with tax season nearly upon us it is important for employers to be aware of the kinds of schemes that could result in these kinds of breaches.