Recent Ruling Allows Employee to Sue Employer for Data Breach without Direct Fraud

Small businesses face numerous challenges related to cybersecurity that can affect day-to-day operations and impact employees and customers alike. For example, a corporate data breach poses problems for the individuals whose data gets stolen or exposed during the event, with the threat of identity theft being a definite possibility alongside other ongoing issues. Many businesses are taking the necessary steps toward beefing up their security efforts in order to limit the impact of breaches and other security concerns, which remains an essential step to surviving continued threats in the modern digitized world. 

Cybersecurity is a complex, evolving issue and is rarely straightforward, with many hurdles and headaches for businesses attempting to do everything possible to remain adequately prepared for just about anything. As a very interesting new development, a recent court ruling highlights a significant development in what’s expected of a business when dealing with employee and customer personal information involved in a data breach. 

A U.S Court of Appeals dealt a decision in favor of a former employee of ExecuPharm, Inc., allowing the individual to move forward with a civil suit against the company related to compromised personal information from a data breach. On the surface, this might not sound that different from other similar instances involving employees or customers dealing with a business experiencing a data breach. But the case of Jennifer Clemens v. ExecuPharm Inc; Parexel Int’l Corp may mark a turning point to the extent to which a business is held liable for the personal information it holds on employees, customers, and anyone else. 

This case is worth noting because the court ruling allows victim Clemens to move forward with suing her former employer because of her personal information that was exposed during a data breach. The issue to highlight here is that the ruling was made even though there was no direct evidence of identity fraud resulting from the breach. It is a definite win for individuals who provide their personal data to larger entities, but it is a tough pill to swallow for businesses that gather this sensitive data. It’s another glaring reminder to all owners and organizations that every step must be taken to limit the chance of exposure as the potential repercussions continue to expand. 

To examine this example a bit more in-depth, it’s worth noting that Clemens was not currently employed with ExecuPharm when the court ruling was initiated during her initial attempts to pursue litigation because of the breach. This sets the precedent that businesses need to keep data safe for absolutely anyone they have gathered it from, whether that person is currently working for them or not. Clemens was required to provide personal information such as financial account numbers, tax information, SSN, and a passport number at the beginning of her employment. This is obviously highly sensitive data that can be used to commit many forms of fraud if it falls into the wrong hands. Upon getting hired with ExecuPharm, Clemens signed an employee agreement indicating that her then-employer would take all the necessary steps to protect this information. This is standard stuff for many organizations during the hiring process and doesn’t reflect anything out of the ordinary. 

But this case gets interesting after Clemens stopped working for ExecuPharm and the organization fell victim to a ransomware incident resulting from a phishing scam. This attack exposed the personal information of many individuals, both those currently or previously employed with the company, and Clemens was one of them. ExecuPharm alerted the affected individuals of the situation and offered a credit-monitoring service for a year – again, standard saving-face procedures after a data breach incident. Clemens felt as if this was not enough action to keep her data from being used for fraud and took other measures on her own. She then sued her former employer and its parent company, Parexel, for negligence and breach of contract – even though she had yet to experience any direct fraud due to the data breach. 

This initial lawsuit was dismissed by a lower court because it deemed that Clemens only presented a speculative risk of future harm resulting from the breach. In the eyes of the court, this was not enough for the suit to move forward. But the case was appealed, and a new ruling allowed it to move forward on the grounds that Clemens could show that she was a victim of a definite injury (risk of fraud in this case) and that her former employer directly caused that injury. And the action by the appeals court to hear the case sets a precedent worth paying attention to because the risk of potential injury (fraud) was enough standing in the eyes of the court to hold the employer responsible for damages. 

This means that despite no identity theft or fraud occurring, businesses can still be at fault and face potential damages. In other words, employees can sue their employers if there is even a potential risk of fraud resulting from compromised personal information. It’s another critical issue businesses face in their efforts to foster adequate cybersecurity measures. And it serves as a reminder that every business and organization need to do all that they can to have these measures in place to safeguard as best as possible against data breaches and other cybersecurity incidents. The risk of a data breach is worrisome enough, but coupled with the threat of litigation from employees, this issue is quickly compounded. 

The precedent from this case is relatively recent, but it’s not the only instance of a court ruling in favor of someone looking to receive damages because of leaked personal information without fraud. Businesses of all kinds should expect this to become the trend and take all necessary steps toward improved cybersecurity, including having a response and restoration plan in place beforehand. The many cyberthreats facing organizations are threatening enough. Failing to establish adequate safeguards to better protecting sensitive information gathered from employees or customers is poised to be another potential nail in the coffin for small and medium-sized businesses navigating the modern marketplace. 

LibertyID provides full service, fully managed identity fraud restoration to its subscribers. With a 100% success rate in resolving all 31+ forms of identity fraud. LibertyID Business Solutions provides Business fraud remediation, full pre-breach preparation with custom WISP protocols, post breach regulatory response, customer, and employee identity fraud restoration management, advanced employee training and third-party vendor management tools.