Remedies for employees and consumers when their personal data is stolen

Q: I work at a hospital and we heard rumors that our computer servers were hacked. As a result, both patient and employee information were stolen. I am very worried about identity theft and damage to my credit. What are my rights?

A: Anyone who conducts business in California and owns or licenses computerized data that includes personal information must notify its employees or consumers (such as patients) in the event of a breach of its security of the system. This occurs when encrypted personal information was acquired by an unauthorized person together with the encryption key that could render that personal information readable or useable.

Personal information includes a combination of the following: full name, Social security number, driver’s license number or California identification card number, account number or credit or debit card number with access codes, medical information, health insurance information, user name or email address with password, and license plates.

According to the California Department of Justice, between 2013 and 2016, the Attorney General received reports on 657 data breaches affecting a total of over 49 million records of Californians. These breaches occurred in various industries: retailers and banks, doctors, dentists and hospitals, gaming companies, spas, hotels, restaurants, government agencies, schools, and universities. Majority of the breaches were cyber-attacks by data thieves who exploited security weaknesses. Breaches also resulted from stolen or lost equipment containing unencrypted data.

Typically, employees or consumers who suffer immediate financial losses from these breaches may sue the company that negligently allowed the breach to occur, and recover damages. But what about the persons whose personal information were compromised but who have not (yet) suffered any type of harm? Do they have the right to sue for damages?

Two court cases best illustrate this issue:

In the first case, Starbucks employees sued their employer when a thief stole a laptop containing the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees. Starbucks notified the affected employees about the theft and said that there is no indication that the private information had been misused. However, it advised employees to monitor their financial accounts for suspicious activity and take precautions against identity theft. The trial court dismissed the case reasoning that the employees did not suffer actual financial losses as the only harm being claimed is an “increased risk of future identity theft.”

The appellate court disagreed, ruling that an increased risk of future identity theft is enough to grant the employees a right to sue for damages. Here, the employees alleged a credible threat of real and immediate harm as a result of the theft of a laptop containing their personal data. The theft of the sensitive personal information is an actual “injury” for which the employees may claim damages.

In the second case, customers sued online retailer Zappos.com when hackers stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. While many of the customers who sued have not yet suffered monetary harm as a result of the theft, they nevertheless suffered an injury because they have been put at risk of identity theft.

The appellate court agreed with the customers, noting that like the Starbucks employees, the Zappos customers have a right to sue if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur.’ Such harm may include identity theft and identity fraud, resulting in criminal activities like credit card fraud, phone or utilities fraud, bank fraud and government fraud.

Aside from non-monetary remedies, employees and consumers victimized by a data breach must be offered appropriate identity theft prevention and mitigation services by the company responsible for the breach. These services must be provided at no cost to the victims for at least 12 months along with all information necessary to take advantage of the offer.

* * *

The Law Offices of C. Joe Sayas, Jr. welcomes inquiries about this topic. All inquiries are confidential and at no-cost. You can contact the office at (818) 291-0088 or visit www.joesayaslaw.com or our Facebook page Joe Sayas Law. [C. Joe Sayas, Jr., Esq. is an experienced trial attorney who has successfully recovered wages and other monetary damages for thousands of employees and consumers. He was named Top Labor & Employment Attorney in California by the Daily Journal, consistently selected as Super Lawyer by the Los Angeles Magazine, and is the recipient of PABA’s Community Champion Award for 2016.]

Back To Top