In October 2014, the United States Postal Service (USPS) disclosed a cybersecurity data breach affecting approximately 800,000 current and former employees. The USPS later determined that, for some, the breach may have included names, addresses, dates of birth, social security numbers, and even medical records. Like others before it who have experienced this type of data breach, the USPS offered those affected a full year of free credit monitoring. The difference in this case is that many of those impacted included employees represented by labor unions.
Acting on behalf of those employees, the labor unions (the American Postal Workers Union, AFL-CIO and the National Rural Letter Carriers’ Association) sought information from the USPS about the breach and demanded to bargain with the USPS about the effects of the breach on the union-represented employees. The USPS rejected the Unions’ demand, and, in November of 2014, the Unions filed unfair labor practice charges against the USPS with the National Labor Relations Board (NLRB).
On March 31, 2015, the NLRB found merit in those charges and issued complaints against the USPS alleging that it violated the law by:
- Refusing to bargain with the Unions about the effects of the “cybersecurity breach” on union-represented employees;
- Failing to provide information to the Unions concerning the data breach as it relates to union-represented employees; and
- Unilaterally granting one year of free credit monitoring services and fraud insurance to union-represented employees without first giving the Unions notice and an opportunity to bargain about those benefits.
The NLRB has long-held that an employer must bargain with the union representing its employees before granting a benefit and about issues impacting terms and conditions of employment. As part of the general duty to bargain, employers must also provide those unions with the information they require to represent those employees effectively. Even when faced with confidentiality concerns, the law requires that an employer bargain with unions about those confidentiality issues. How the NLRB will apply these principles to a cybersecurity data breach remains to be seen. For example, at what stage must an employer begin to involve the union and how much information must it share? How much bargaining will it require and what happens in the meantime?
Trials are scheduled before administrative law judges for May of this year. As these cases work their way through the administrative process, we can expect some guidance on the extent to which an employer must involve unions when they experience a cybersecurity breach