We advise clients time and time again that when it comes to a data breach, the question is not “If” but “When.” As such, every company must prepare to deal with a breach.
For instance, when a company is impacted by a data breach, the company must disclose the breach to the appropriate authorities and impacted individuals, and comply with numerous requirements imposed by various federal and state data breach laws. However, if the National Labor Relations Board (NLRB) has its way, companies with unionized work forces may have yet another hurdle to jump over when dealing with data breaches that involve personal information of employees covered by a collective bargaining agreement.
This issue arises out of an unfair labor practice charge filed by the Postal Workers’ Union against the U.S. Postal Service (USPS) for failing to negotiate over the effects of a 2014 data breach. Now, the NLRB’s Regional Office in Baltimore, Maryland has found merit in the union’s charge and filed a complaint against the USPS alleging that it violated the National Labor Relations Act (NLRA) by failing to negotiate with the union over how quickly to tell personnel about cyber attacks that affect their personal data.
As for the details of the actual breach itself, it occurred last year. Hackers stole sensitive personnel information, including names, dates of birth, Social Security numbers, and addresses for about 800,000 postal employees. The USPS realized a possible intrusion had occurred on September 11, 2014, and informed employees on November 10, 2014, which actually complies with the timing requirements of all state data breach notification laws.
Nevertheless, the NLRB – or at least Region 5 – seems to think the USPS should have to bargain over the effects of data breaches and the remedy to be provided to impacted employees. The complaint also seeks to fault the USPS for offering compromised employees a year of free credit monitoring and fraud insurance without first bargaining with the union about these benefits. The NLRB claims the matter “relates to the wages, hours, and other terms and conditions of employment … and is a mandatory subject for the purposes of collective bargaining.” The NLRB complaint calls on the USPS to publish notices about the alleged labor-law violations and bargain with postal unions “for a minimum of 15 hours a week until an agreement or lawful impasse is reached or until the parties agree to a respite in bargaining.”
This will be an interesting case to watch to see if the NLRB finds that a bargaining obligation exists, and how that will impact other unionized workforces affected by data breaches. Given the broad approach the NLRB is taking on such matters, it will not be surprising if the NLRB ultimately decides that the USPS must bargain over this issue – creating yet another hurdle for employers trying to properly remedy data breaches.
The hearing is scheduled for May 11, 2015.