|
|
|
|
|
 |
 |
|
||||||
|
Search:
|
Employers Threatened by a Connection Between Data Security and Whistleblowing/Retaliation Claims?
Posted: May 28, 2009
Page Tools:
For More Information Contact:
Related Practice Areas:
Many companies are expediting their efforts to develop safeguards to protect personal data in response to the rapid emergence of data privacy and security regulations. The New Jersey Identify Theft Protection Act, the Massachusetts data security regulations, the federal “red flag” regulations, and the recent amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the American Recovery and Reinvestment Act are prime examples of the wave of regulation directed at protecting personal data. While fear of data breaches, reputational harm, litigation and penalties usually drive company executives to action, employee whistleblower and retaliation claims also must be added to this list. At least one New Jersey court held recently that an employee who voices concerns regarding data security is engaged in protected whistleblowing activity under the New Jersey Conscientious Employee Protection Act (“CEPA”). Many, if not most, occupations require the movement of information over electronic networks and systems. In many cases, such occupations involve the movement of sensitive identifiable information about customers and/or employees. At the same time, employees are becoming increasingly aware of the regulations designed to protect personal information, as well as the events that drive legislatures and agencies to action – massive data breaches and troubling reports of the misery caused by identity theft. As a result, employees are likely to expect and even demand employer-established safeguards to protect this information. These include written policies, training, logon and user authentication controls, among others. Employers should take employee concerns regarding data privacy and security seriously not only to help assure compliance, but also because subsequent adverse action against that employee could provide the basis for a whistleblowing/retaliation claim. For instance, an employee might express concern to his supervisor that the company provides no privacy training for employees with access to personal information, or that company laptops are not password-protected. An employee might even refuse to utilize certain information systems because of a belief, correct or incorrect, that the systems are not adequately safeguarded. An employee that subsequently experiences adverse employment action, such as the termination of employment, could claim the adverse action was in retaliation for complaints concerning the company’s alleged data security deficiencies. Identity Theft Law LinkIn New Jersey, in order to establish a prima facie CEPA claim, the plaintiff must offer evidence that he engaged in whistleblowing and was subjected to an adverse employment action causally connected to the protected activity. Additionally, the plaintiff is required to allege he reasonably believed the defendant’s conduct violated a law, rule or regulation, or a clear mandate of New Jersey public policy. It is conceivable that a New Jersey court could find facts sufficient to support a CEPA claim in the circumstances described above based on an employee’s reasonable expectation that personal identifying information will be kept confidential. In fact, New Jersey’s Identify Theft Protection Act (“ITPA”), 56 N.J.S.A. 56:11-45, calls for the protection of financial data against interception as well as restricting access to Social Security numbers “in order to detect and prevent identity theft,” creating a nexus between the employee’s allegations and the ITPA. Of course, a jury would then have to find the employee’s termination was based on impermissible retaliation. * * * Employees’ increasing sensitivity to data privacy and security, and widely accepted public policy to protect personal data created by businesses, require employers to respond meaningfully to employee data privacy and security complaints. Adverse employment action will expose an employer to a retaliation claim. Employers can decrease the likelihood of such claims by implementing appropriate policies and procedures to protect the personal data they maintain. Members of our Employee Benefits, including Complex ERISA Litigation, Workplace Privacy and Executive Compensation Practice Group are available to assist your business in addressing its data privacy and security exposures and obligations.
| |||||||
