Data Protection Report - Norton Rose Fulbright

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of the NLRA. These provisions of the NLRA mandate collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment.”

This NLRB complaint arose from charges filed by the American Postal Workers Union (APWU) in connection with the handling of the breach by the USPS. The NLRB alleged that, in responding to the breach, USPS violated the NLRA by: (1) failing to furnish various information that the union requested in connection with the breach, including details about the USPS’s investigation of the breach; (2) failing to collectively bargain with the union about the effects of the breach on union members; and (3) unilaterally providing one year of credit monitoring services and fraud insurance, at no cost to the employees, without prior notice to the AWPU, and without affording the opportunity to bargain with respect to the remedy. The NLRB reportedly filed a substantially identical complaint in connection with charges filed by the National Rural Letter Carriers’ Association arising out of the same breach.

The NLRB has thus taken a unprecedented position that matters of breach response and notification, where the breach affects employees, relate “to the wages, hours, and other terms and conditions of employment” under the NLRA. The NLRB thus interprets the NLRA to require employers to engage in active negotiations with and reach agreements with unions in responding to breaches affecting union employees.

Our Take

The NLRB’s position that breach response is subject to collective bargaining may create new legal obligations and additional burdens in the breach notification process that companies will need to consider going forward. If the NLRB ultimately concludes that the USPS had an obligation to engage in collective bargaining over the service’s breach response, the decision will likely add significant obstacles, delays and costs in the breach notification process for employee breaches. Companies may be faced with acrimonious and protracted negotiations in the middle of a crisis situation, and collective bargaining requirements may adversely impact a company’s ability to comply with breach notification laws. Moreover, if organizations are forced to notify labor unions before a breach is formally notified, press leaks may occur that could put additional pressure on the company. The NLRB’s effort to bring unions into the breach response process should provide an additional, compelling incentive for companies to implement robust information security and incident response policies and procedures. Companies with unionized employees may wish to engage with their employees’ unions to proactively develop acceptable breach response plans so that when a breach happens, negotiations with the union are not conducted hastily or under duress.