My former employer leaked my ss number!
February 19, 2011 5:41 AM   Subscribe

Can I sue my former employer for leaking my social security number, email address and physical address?

They sent a list to 1,000 people (current and former employees) that had the information for the other 1,000 people who received the email.

I know there have been lawsuits for schools leaking data or companies leaking customer data - is employee data different?

Their big offer at this point is 12 months of credit monitoring - which is insulting.

How would I go about pursuing this? Is it only worth it if it is class action?

If I can't sue what are my other options? Changing my social security number, etc?
posted by UMDirector to Work & Money (15 answers total) 2 users marked this as a favorite
I think it's going to depend on where you're located. When a previous employer of mine told everyone who called for a reference check on me that I had never worked there, I went to a lawyer. He told me that in Texas, the laws are all in favor of the businesses, and that all I could do was send them a letter from a lawyer asking them to correct the situation. Hopefully, you're in a more employee-friendly state.
posted by MexicanYenta at 6:19 AM on February 19, 2011

Best answer: Anyone can be sued, and there are certainly going to be common law, if not statutory and regulatory, grounds for a suit to avoid dismissal, on this kind of flagrant negligence. You would want to do it as a class action, or multi-plaintiff action, to be sure.

An inventive plaintiff lawyer should love this in principle: an easy to assemble and prove group (you have the list of names -- with emails and SSNs!), a sexy issue, and employer with (presuably) deep pockets.

However, calculating damages and a settlement structure won't be easy. How much has this cost you? Not a lot as of yet. Would it make sense to pay everyone $1,000 and the employer be let off the hook -- but the 3 people who suffer identity theft will have nothing more to claim when they have to spend 500 hours and $50,000 reconstructing their credit, etc., after the identity theft.

Very interesting stuff!
posted by MattD at 6:21 AM on February 19, 2011 [1 favorite]

Response by poster: This is a company with deep pockets. The parent company is one of the largest in the world.

I thought about a class action, just not sure since so many are current employees, if they would join.

The employer is in FL, I am currently in MA.
posted by UMDirector at 6:28 AM on February 19, 2011

Depends on where you are. Some states have laws requiring the protection and or encryption of personal data on company computers, Web sites and emails. For Example MA 201 CMR 17 in Massachusetts.
posted by Gungho at 6:34 AM on February 19, 2011

Best answer: On preview You should know that if you are a MA resident the MA 201 17 still applies to companies outside the state. Basically any computer with the information of MA residents needs to be secured/encrypted.
posted by Gungho at 6:35 AM on February 19, 2011

I would do some research to see if there are similar cases out there and what their result is. I largely agree with the above that you should have an actionable class claim, but the issue of damages would be tricky since you technically haven't suffered any. It's all potential damages.

My guess is that their in house legal team has already looked into this issue already, hence their 12mo credit monitoring offer. Do some research of your own, consult a few attorneys.
posted by karmaportrait at 6:57 AM on February 19, 2011

My previous employer did something similar -- HR left sensitive documents in a big sloppy pile in a closet, and a temporary employee stole an unknown amount of ss numbers, distributed them to an unknown number of "friends" who then started attempting to open accounts with the information. The temp -- who temped for HR!! -- actually used a stolen identity on her employment application and had multiple aliases and convictions and all sorts of horrors. She had access to everything on the computers, but she supposedly took the easy way out and just copied the forms she found.

We consulted a lawyer who was dubious about our chances at winning anything unless we suffered damages. YMMV, and this was 5 years ago, but he advised us to take the monitoring -- unless there was a clause that specified we'd lose our rights to sue if we did so, just to cover ourselves in case something epic did happen.

The company I worked for was so stupidly horrible about the whole thing and did indeed try to specify that accepting their $79-value-monitoring-package supposedly relieved them of any liability. I paid for the monitoring myself -- I think I got a discount when I called the monitoring company directly and paid for three years.
posted by kittyb at 7:21 AM on February 19, 2011

In at least a couple states you could get around $60,000 statutory damages just because the information was released, even if nobody looked at it and no actual damages occurred. However, I did that legal research for a case almost five years ago and this is an area where the law changes FAST. But it's certainly worth talking to a lawyer about it.
posted by Eyebrows McGee at 9:40 AM on February 19, 2011

I worked for a company that had a backup tape drive in a car that was stolen. On that tape drive was all sorts of personal information. They offered the same one year of credit monitoring. They did not have us sign any sort of waiver if we took the year, so in theory, we could have also sued for damages. My plan was to take the credit monitoring and sue them for actual damages if they occurred. At the nine month mark I asked for and got a 6 month extension on the free credit monitoring. At the end of 18 months, it stopped. I have not yet had any negative ramifications. My real concern with the time frame on the monitoring was that there was an expiration on the monitoring, but the information of mine out there had no expiration. A patient thief could presumably wait 2 years and then use the information. I never pursued any additional compensation against the firm because there is no damages at this point (5 years out).

IF your state is one of the states to which Eyebrows McGee refers, then go for that I guess.
posted by AugustWest at 9:57 AM on February 19, 2011

It's quite possible that you don't have any damages. In that case, to my mind, no, suing isn't worth it (although consulting with an attorney absolutely would be). But that depends on what you want -- to punish the employer or to be compensated?

I'm not aware of the option of changing your SSN, but I would certainly ask the company for credit monitoring lasting longer than 1 year. Not in a suit, just as negotiation.
posted by J. Wilson at 10:15 AM on February 19, 2011

Actually, in theory, the one thing I would really strive for (in addition to extended credit monitoring) is a contract stating that if your identity is ever stolen because of this and causes you damages, the company will compensate you at that time for any costs involved in fixing the problem.
posted by J. Wilson at 10:19 AM on February 19, 2011 [3 favorites]

Yes, indemnity from their mistake and chasing this up with law enforcement (see if you can get the other 999 interested in this as well, numbers count) are two good places you can start on your own. Keep working on the civil suit side, too, but that will take much longer to do well. You'd do well to fan out your approaches to pin them in: civil, criminal, and HR (three facets of society nobody likes to deal with). Heck, depending on the size of your balls you could send out an all-hands email calling for a show of hands for those affected, but that might get you fired (possibly another actionable development! ;).
posted by rhizome at 11:21 AM on February 19, 2011

i'm about as far away from being a legal expert as you can get, but i would presume that the parent company having deep pockets is moot. corporations are generally structured so that the deep pockets are protected. i imagine the parent company would have the same liability your parents would have if you were to get sued. which is to say: none.

accept the credit monitoring & maybe try the contract J. Wilson mentioned. my suspicion, though, is that it would be pretty close to impossible to trace a future identity theft back to this instance.
posted by msconduct at 5:02 PM on February 19, 2011

This is a company with deep pockets. The parent company is one of the largest in the world.

I thought about a class action, just not sure since so many are current employees, if they would join.

The employer is in FL, I am currently in MA.

You don't have to go door to door to see if they will join. The attorneys of your class action (if certified by a judge) will have the power to get a list of all people who were affected.

Then he will send them communication that asks them to opt-in (YUCK), or opt-out (HIGHLY PREFERABLE) of the lawsuit.

Also, its pretty pimp to be the head plaintiff.
posted by hal_c_on at 5:46 PM on February 19, 2011

If you decide to accept the offer (which is what I would do, given that you haven't lost anything yet) you should make it clear that your acceptance is without prejudice to any other rights you may have, particularly if you suffer further loss as a result of their negligence.
posted by Joe in Australia at 1:26 AM on February 20, 2011

« Older Python for beginners   |   Getting all sides of the stories. Newer »
This thread is closed to new comments.