A data breach occurs in which an outside individual obtains your company’s employees’ W-2 forms including social security numbers, addresses, and salary information. As a result, your company notifies all affected employees, explains what occurred, and offers a complimentary two-year membership to a service that helps detect misuse of personal information.   Is your company liable for negligence and breach of contract?

The answer may be, “yes,” according to a federal district court in Kentucky. Savidge v. Pharm-Save, Inc. (W.D. Ky. Dec. 1, 2017).  In Savidge, the plaintiffs alleged various state law claims that their former employer was liable due to the theft of their personally identifiable information (“PII”).  With regard to one plaintiff, the data breach resulted in a false tax return being filed on her behalf.

The company moved to dismiss the claims. In denying dismissal of the negligence claim, the court concluded that because Plaintiffs’ information was released to unauthorized individuals, the company breached its duty to “safeguard that information.”  Further, the court found there were sufficient allegations of injury based on Plaintiffs’ alleged purchase of credit monitoring and identity theft protection services as well as expenses incurred in responding to the fraudulent tax return.  Finally, the court held that Plaintiffs sufficiently alleged causation simply by alleging a nexus between the data breach and fraudulent activity that took place.

In addition, the court declined to dismiss Plaintiffs’ implied breach of contract claim. The complaint alleged that Plaintiffs provided their W-2 information to the company so the company could verify their identities, provide them with compensation, and to provide the company with complete records for tax purposes.  According to Plaintiffs, the company implicitly promised they would take adequate measures to protect their personal information and the company breached that obligation through the release of their PII.  According to the court, the allegations were sufficient to draw an inference that the company impliedly promised to protect their employees’ PII. Therefore, this claim also was permitted to proceed.

With a patchwork of federal laws governing various aspects of data breach liability, it is important for all those possessing PII to understand the extent of exposure under state law as well. Failure to take reasonable steps to protect such information is likely to result in liability.  The trend toward greater protection of PII is only growing, and with tax season nearly upon us it is important for employers to be aware of the kinds of schemes that could result in these kinds of breaches.

Tags: data breach, Identity Theft, personally identifiable information, PII, Savidge v. Pharm-Save, tax return, W-2, Western District of Kentucky
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey M. Schlossberg Jeffrey M. Schlossberg

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals and is an editor of the firm’s EPL Risk Mitigation Blog.

Mr. Schlossberg has extensive experience in handling all aspects of the employer-employee relationship. Areas of concentration include: employment discrimination prevention and litigation; workplace harassment policy development and compliance; social media and information privacy in the workplace; family and medical leave; disability matters; wage and hour investigations and litigation; non-competition agreements; and corporate mergers and acquisitions.

Mr. Schlossberg has defended against claims such as sexual harassment, age, race, national origin and disability discrimination for public and private companies in industries such as media, technology, airline, aircraft components, restaurants, supermarkets, securities, medical, manufacturing, cosmetics, food processing, software, clothing, vitamins and nutritional products, and many other employers of varying size throughout the metropolitan area and across the country.

Mr. Schlossberg lectures frequently about various topics to trade and professional associations, such as the Hauppauge Industrial Association. Mr. Schlossberg is also an active member of the Nassau County Bar Association and is a Past Chair of the Nassau County Bar Association Labor & Employment Law Committee.

Mr. Schlossberg is an appointed member of the Employment Law Panel of arbitrators for National Arbitration and Mediation.

Read more about Jeffrey M. Schlossberg
Show more Show less
Related Posts
Multi-factor Authentication (MFA) Bypassed to Permit Data Breach
April 1, 2024
Top 10 Blog Posts for the Workplace Privacy, Data Management & Security Report for 2023
December 21, 2023
Data Protection Update: Q4 Noteworthy Dates
November 6, 2023