DATA BREACHES-A NEW TOPIC FOR COLLECTIVE BARGAINING?
The NLRA requires employers whose employees are represented by a union to maintain the employee’s existing terms and conditions of employment and to negotiate with the union before implementing any changes to those conditions. Even fundamental changes in the business itself, which are exclusively the prerogative of management and not subject to bargaining, will give rise to a bargaining obligation over the effects of those decisions on unionized employees.
With the advent of electronically stored information comes the risk of data breaches. The prevalence of such issues, generally dealing with customers’ personal and financial information, gives rise to the question of what, if any, obligation a company has to notify and bargain with a union concerning the security measures it takes to protect electronically stored information concerning its employees and the effect of a data breach involving such employees’ personal information – i.e., names, addresses, telephone numbers, social security numbers, etc.
The latter part of this question was recently put before the National Labor Relations Board’s General Counsel by a charge filed against the United States Postal Service. This charge arose from a data breach involving employees’ personal identifying information. The USPS did not notify the union of the breach, however, for several months and did so only shortly before it publicly disclosed the breach. After notifying the union, the USPS then unilaterally offered the employees affected by this breach one year of free credit monitoring. In this charge, the union alleged that the USPS breached its duty to bargain in that it failed for months to provide the union notice of the data breach, thus perpetuating the exposure of employee personal data, and unilaterally changed the employees’ terms and conditions of employment when it offered them credit monitoring without first informing the union of, and negotiating, that benefit with the union.
How the Board’s General Counsel will dispose of this charge remains to be seen. One would have to speculate, however, that the charge will be received favorably as the Obama Board, and its General Counsel, has a decidedly pro-labor tilt. The disclosure of confidential personal identifying information, moreover, has an effect, or at the minimum a possible effect, on employees as such information was provided to the employer as part of the employment relationship. Credit monitoring provided as part of the employment relationship, like insurance, is a term and condition of employment. Likewise, the entity providing the monitoring (its experience/quality/reputation), as well as, the length and thoroughness of the monitoring are all items which are amenable, and likely to be found subject, to the negotiation process.
Similarly, it would not be a surprise if a decision was rendered which finds prompt notice of a data breach to the union representing affected employees to be required by the duty to bargain in good faith. To hold otherwise logically could affect the union’s ability to negotiate concerning remediation of the effects of the data breach on its members.
While one may argue that the normal ongoing security measures employed for electronically stored information by an employer fall within the exclusive domain of the employer, as it relates to the operation and direction of the business and thus should not subject to the negotiation process, it is not far fetched to envision a decision analogizing this issue to employee safety and heath matters. Thus, just as an employer has a duty to negotiate not only over the effects of noise or chemical exposure on its unionized employees, it also has a duty to bargain, if requested, over ways to eliminate or reduce those exposures.
Cyber attacks and data breaches are 21st Century headaches for employers. An employer with electronically stored personnel information concerning its unionized employees will be well advised to consider what obligations it may have to:
- Bargain concerning the security measures it is taking for such information prior to a data breach;
- Promptly notify the union representing such employees of a data breach; and,
- Respond to a demand from the union to negotiate the remediation of the effects of the data breach on its members