As recent high-profile cyberattacks have demonstrated, employers have a duty to protect their employees’ electronically stored personal information from being accessed by hackers, and to promptly remedy any breach in security concerning such information. Depending upon the outcome of a recently filed charge before the National Labor Relations Board (“NLRB” or the “Board”), unionized employers may need to add another duty when it comes to data security breaches: bargain with the union regarding what to do about the breach.
The American Postal Workers Union has filed an unfair labor practice charge with the NLRB against the United States Postal Service (USPS), alleging that the USPS failed to bargain with the union over the impact and effects resulting from a data breach that compromised personal information about its employees. Specifically, the union claims that the USPS violated the National Labor Relations Act (NLRA) by offering employees impacted by the data breach one year of free credit monitoring without first bargaining with the union about the offer.
The USPS announced the data breach on November 10, saying in a statement that hackers had obtained the names, birth dates, Social Security numbers and other personal identifying information of its employees. According to the union, however, the USPS had known about the cyberattack for a number of months but informed the union of the issue only the evening before making its announcement. The union then purportedly received information about the breach and the USPS’s response shortly before the USPS began talks with its employees around the country concerning the breach. The USPS’s failure to advise the union promptly of the breach and discuss how to address its impact on employees, the union claimed, violated section 8(a)(5) of the NLRA, which requires employers to bargain with unions regarding wages, hours and working conditions. The NLRB will investigate the union’s charge and, depending upon the results of that investigation, may issue a complaint against the USPS that will be adjudicated by the Board and most likely be reviewed by a federal appellate court.
Should the Board ultimately rule in favor of the union on this charge, unionized employers may face conflicting priorities when it comes to data protection. Companies want to investigate and respond to data breaches quickly; however, having to negotiate with a union regarding the effects of such breaches on employees may very well slow down a response. In addition, having to approach a union before a company has finalized its response to the breach may cause information concerning the breach to be leaked before the company is able to make a formal announcement explaining the exact nature of the breach and what the company plans to do about it. Such a premature disclosure could cause difficulties for a company’s business, as well as confusion for those employees potentially impacted by the breach.
While it is too early to know exactly what the Board will do with this issue, its pro-union pronouncements in other areas over the past several years suggest that it will side with the union, at least with respect to the obligation to bargain over benefits offered to employees impacted by data breaches. As a result, employers may want to consider how they address communications with their unions regarding data breaches before such a breach occurs, including possibly addressing such communications formally in the collective bargaining agreement. This is a case that unionized employers should keep an eye on.
This is a joint submission with BakerHostetler’s Data Privacy Monitor blog.