The United States Postal Service quietly announced last week that its systems had been breached potentially compromising the personal information of as many as 800,000 current and former USPS employees. This announcement came almost two months after the USPS’ inspector general advised the agency that its systems had been compromised.
While the general public may have missed the announcement, the USPS employees and their union took notice. The USPS identified its virtual network, which employees use to telecommute, as a point of vulnerability and temporarily halted its telework program – affecting a significant segment of the USPS workforce.
In an interesting twist on breach response, the American Postal Workers Union, which represents more than 200,000 postal employees, filed unfair labor practice (“ULP”) charges with the National Labor Relations Board protesting the USPS’s failure to notify and involve the union while handling the breach response. The union’s ULPs allege that the postal service failed to negotiate with the union over the impact of the breach on affected bargaining unit employees.
According to the APWU President, the union is demanding “information from the USPS about the extent of the breach – both known and suspected – and what postal management knew, when they knew it and what they did, or failed to do, to protect employee information.”
The USPS’s position is that it could not notify employees – or their union – about the incident any sooner because it would have put the “remediation actions in jeopardy.” Consistent with many standard remediation efforts, the USPS indicates that it plans to offer employees a year of free credit monitoring to protect against identify theft. The union says that the credit monitoring decision was made unilaterally and questions whether it is sufficient to protect its members.
For now, the NLRB will handle the postal employees' charge like any other ULP – assessing whether the employer had a duty to bargain with the union about terms and conditions of employment and whether it failed to do so. However, with the hodge-podge of federal and state laws that currently govern cybersecurity, the postal workers’ unfair labor practice charge raises an interesting issue about which government agency – or agencies – are best suited to protect employee rights following a cyber-attack. Adding the NLRB, which is always eager to expand its scope of authority, to the mix will present further challenges to the already complex cyber-breach response process.