In September 2014, a data breach at the United States Postal Service (USPS) exposed the private information of nearly 800,000 USPS employees. The American Postal Workers Union (Union) recently filed a complaint with the National Labor Relations Board (NLRB) alleging that the USPS failed to disclose information concerning the recent data breach. The Union claims the USPS delayed in informing its employees of the breach despite having knowledge of the breach since September 2014. The complaint seeks disclosure to the Union of all information concerning the data breach including, the extent of the breach, who knew about the breach, when did they first become aware of the breach and what was done to protect employee information.
The Union’s complaint provides another example of the danger posed by data breaches regardless of the size of the target or the size of the breach. As we previously commented, these risks are not limited to retailers, banks or hospitals. Rather, the Union’s allegations, which involve no claims related to the disclosure of customer data, provide a stark reminder that employees’ private information is valuable to hackers. Therefore, these allegations signal a shift in data breach claims from large class action lawsuits against multinational companies to potential causes of action by employees against their employer, regardless of the size of the employer. Unfortunately, as these allegations make clear, even small businesses with a handful of employees have reason to be concerned about cybersecurity.