Class Action Analysis: Employee Data Breach

According to a recently filed complaint, Acuity Brands had at least two data breaches involving employee data, one of which dated back to late 2020.  This class action is interesting for several reasons, which I’ll touch on in this blog post.  Remember, this is just a complaint, so none of the facts are verified and a court hasn’t ruled on the legal assertions.

First, the relative size of the class for a data breach is small.  Typically, per plaintiff damages in most data breach class actions for individuals are relatively small, which means that a lawyer taking on such a case on contingency needs a large number of plaintiffs to justify the exercise.  The proposed damages in the complaint exceed $5,000,000, but the class is only 37,000 people.  This may mean that the named plaintiffs have actual damages; indeed, one of the allegations includes tax fraud.  Class actions work best when there is a named plaintiff with actual damages to use as the benchmark for the class.

Second, many of the class actions in this space have relied on consumer harm.  There have been some employee led suits, such as in Pennsylvania, but typically consumer harm is easier to show, there are fewer defenses, and there are larger classes.  If plaintiffs’ lawyers can increase the harm per plaintiff, employee data breaches become much more attractive.

Third, the complaint specifically calls out defendant’s data retention practices.  Regulators, including the FTC, have been highlighting the problems with data retention and data collection for a while, especially with the advent of data lakes.  Employers have certain data retention obligations that are in tension with this guidance.  I9 forms are one example, where sensitive personal information must be maintained after an employment relationship is terminated.  I9s are broadly applicable, but each individual employer will have other retention obligations either through law or business necessity.

Fourth, the complaint alleges that the named plaintiffs provided their personal information on the condition that it be kept confidential and with the understanding that the defendant would employ reasonable safeguards.  This is probably news to the defendant, but more courts are recognizing these types of claims.

Finally, at least from my quick perusal, the plaintiffs attributed statements made on the defendant’s website as part of its privacy policy to its relationship with employees.  A lot of privacy policies do not fully account for employee data collection or use.  As an example, most websites do not collect SSNs and so SSNs are not disclosed in privacy policies.  Those same companies do collect SSNs from employees (again, for I9 purposes).  It will be interesting if this gets traction, forcing employers to create employee privacy policies despite specific exclusions from many state privacy laws.

I want to re-iterate that this is a complaint and these claims may fall apart.  It is important, however, to look at complaints to understand what future plaintiffs will allege and what theories of liability will develop in the future.