Your Turn, U.S. Employers

It’s not just GDPR in Europe; U.S. companies under pressure to control HR data, too.

By Cheryl L. Blount and Paul Bond


n 2018, Europe’s data protection laws have remained in the spotlight. However, even U.S. employers not subject to GDPR, the General Data Protection Regulation, face increased scrutiny. Home-grown data protection expectations have ratcheted up, and those responsible for HR data need to be aware and responsive. GDPR mandates disclosures, enhanced consents, the right to access and correct information held, and the right to be forgotten. Some U.S. laws do the same, including with respect to HR data.

The California Consumer Privacy Act of 2018. The act of 2018 was signed into law June 28. The name of the act is potentially deceptive — read literally, the act provides rights to any person residing in California, which would include employees. While some argue that the statute as a whole is better read to apply only to consumers, that potential limitation is not expressed in the text. The act applies to any company doing business in California and making more than $25 million in adjusted gross revenue, as well as to companies in the business of buying and selling consumer data. As to such companies, California residents will have many new rights. Starting in 2020, these will include the right to disclosure of personal information held (including “professional or employment-related information”); the right to information about categories of personal information collected, use of the information, and third-party disclosures; the right to opt out of the sale of such personal information; and the right to deletion of personal information.

Employer tips: Determine whether your company is covered by the act; review employee-facing disclosures; start planning to respond to requests by California employees, if need be; and operationalize required responses.

The Illinois Biometric Privacy Act. Employers in Illinois are still dealing with the fallout of a 2008 state law. The Biometric Information Privacy Act regulates the collection and use of biometric information. For example, if an employer combats time card fraud by making employees swipe in and out with a thumb scan, that employer may be subject to the act. Companies (including employers) collecting biometric information must offer very specific disclosures and obtain informed consent. Many employers did not get BIPA-compliant consents. A BIPA violation can lead to $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. A wave of BIPA class actions against employers has swept federal and state courts in Illinois. While the results have been muddled, the risk of multimillion dollar liability is very real for employers.

Employer tips: Know your local laws surrounding employee data, especially when adopting new technology; and offer and document all needed consents.

Reading Employer’s Duty to Protect HR Data into Employment Relationship. The Pennsylvania Supreme Court is considering the case of Barbara Dittman v. UPMC etc. et al. Dittman was an employee of the University of Pittsburgh Medical Center and claims that a data breach exposed the names, birthdays, Social Security numbers, addresses, salaries, and bank and tax information of some 62,000 current and former UPMC employees. Further, Dittman claims that the stolen information was used to commit identity theft. Dittman brought a class-action sounding in negligence. The trial court dismissed the action, citing to Pennsylvania’s Economic Loss Rule. Dittman had not suffered any physical injury, and could not sue her employer for negligence. The court also refused to recognize an exception to this rule to allow employees whose HR records were breached to sue employers. On appeal, the Pennsylvania Superior Court upheld the ruling 2-1. The dissent would have found that UPMC failed to implement reasonable security if, as alleged, it had not used encryption and firewalls to protect data. The pending question before the Pennsylvania Supreme Court is whether an employer has “a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system.” The decision could be momentous for employers.

Employer tips: Consider protections around HR data, including physical, technical and administrative controls; and review the reasonableness of those controls regularly, including comparing HR data protection against protections of consumer/customer data.

Risk of W-2 Fraud. From the perspective of a would-be identity thief, W-2 forms are a gold mine. A W-2 lists the employee’s name, postal address, Social Security number, income and withholdings amount. Hundreds of employers have been tricked into giving this sensitive employee information to scammers. Typically, an accounting employee is tricked by a phishing attack, getting what looks like an urgent e-mail from a senior executive demanding the information. Only after the accounting employee sends the information en masse do they re-check the identity of the sender, and find that they have been duped. The scammer can then use the information stolen for a number of nefarious purposes. For example, the scammer can file for federal and state tax refunds owed to the employees. Many employers have faced class actions following such situations, usually alleging breach of contract, breach of fiduciary duty, etc. For example, one employer, Lincare Inc., agreed to settle a W-2 fraud class action for $875,000 in 2018.

Employer tips: While employers have no silver bullet against W-2 fraud, protections include spam filtering; software that clearly designates which e-mails are from external sources; specialized security training for finance, payroll, and HR employees, including mock phishing attempts; and internal policies and procedures to limit the instances where any executive would legitimately make such a request.

Cheryl L. Blount is an associate in Reed Smith’s Labor and Employment Group based in Houston. Paul Bond is the co-practice leader of the firm’s Information Technology, Privacy & Data Security Group and a member of the IP, Tech & Data Group in the firm’s Princeton, New Jersey, office. To comment, email