Employee Rights Rolled Into California’s New Consumer Privacy Act – What Employers Should Know

California has enacted the California Consumer Privacy Act of 2018, establishing the strictest data privacy law in the United States. Recent amendments provide a one-year partial exemption for personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors. However, qualifying employers are still required to provide certain disclosures and are still liable for statutory damages if unencrypted, sensitive employee data is breached as a result of a failure to implement reasonable security measures.

The following is a CCPA checklist for employers:

·      Determine whether the CCPA applies to your business.

·      Inform key decision-makers about the CCPA and appoint privacy compliance manager.

·      Conduct data mapping of employee personal information.

·      Draft an employee-specific disclosure document.

·      Ensure that the employee disclosure is provided at or prior to the collection of employee personal information (including all applicants).

·      Ensure that all contracts with service providers with access to employee personal information include robust information security and privacy provisions.

·      Ensure compliance with other privacy, security and data protection and disposal laws.

For more detailed information on this topic, please see our Alert.

Pa. Supreme Court Rules Employers Have Legal Duty to Protect Employees’ Personal Information from Data Breaches

On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.

Visit the Duane Morris LLP website to read the full Alert.