Dive Brief:
- The Management Association (MRA) can’t escape a proposed class-action lawsuit after a data breach allegedly exposed workers’ personal identifiable information (PII) to the dark web, according to an April 7 federal district court ruling.
- Per court documents in Giasson v. MRA — The Management Association, Inc., MRA is a nonprofit employer association that stores highly sensitive PII and protected health information (PHI) about its clients’ employees. A worker in Wisconsin alleged that her current or former employer is or was an MRA member and that as a condition of her employment, she provided MRA with her PII and PHI.
- After MRA was hacked, the worker sued it on a number of grounds under Wisconsin law, including negligence for failing to follow industry standards and Federal Trade Commission guidelines on data security. She also claimed MRA was negligent in waiting more than nine months to notify affected workers of the breach. The district court denied MRA’s motion to dismiss the claim.
Dive Insight:
The allegations against MRA highlight a critical concern for employers — the substantial increase in cyberattacks and data breaches of employee personal identifying information, including information stored by third-party vendors and HR services.
For example, according to the U.S. Health and Human Services Department’s archived records, in the healthcare industry, large data breaches reported to the agency affected more than 134 million people in 2023, a 141% increase from 2022.
More recently, in February, DISA Global Solutions, a third-party employment screening services provider, announced it was the victim of an April 2024 data breach affecting more than 3.3 million people.
At the core of litigation typically spawned by such breaches are allegations that the hacked business had a duty to protect workers’ PII but failed to take reasonable steps to do so — such as measures detailed in an FTC guidance.
To start, business executives should factor data security into decisions they make for every department, including personnel, sales, accounting and IT, the guidance recommends.
“By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road,” the FTC states.
Deciding who has access to the PII and controlling that access is crucial, according to the guidance. For instance, employers should make sure employees have access to their networks and the information stored on it only on a “need to know” basis, the guidance says.
Additionally, employers should continuously monitor who’s trying to get in and out of their networks, test for common vulnerabilities and guard against brute-force attacks with adequate risk-based authentication measures, according to the guidance.
It’s also wise for businesses to keep an eye on companies they hire to develop apps or to process personal information. They should also insist their contracts with third-party providers include appropriate security standards, the FTC says.
According to court documents, the MRA breach affected the PII/PHI of more than 3,400 people and allegedly exposed their names, dates of birth, financial account information, medical information and Social Security numbers. When it notified affected persons of the breach, it offered them 12 months’ worth of credit monitoring and identify protection services, court records reflected.
MRA must now defend the negligence claim, a claim for negligence per se premised on an alleged violation of the FTC Act and a claim for unjust enrichment based on its alleged receipt of payments the Wisconsin worker believed would be used for adequate cybersecurity and protection of her PII, the court held.
