68 | 2024 Cal-Peculiarities ©2024 Seyfarth Shaw LLP www.seyfarth.com related investigation or proceeding.65 And employers can still request username and password information for the purpose of accessing an employer-issued electronic device.66 4.8.4 Other personal information The Court of Appeal has upheld an employee’s right to sue her employer on the basis that her supervisor had informed the workforce that the employee suffered from bipolar disorder. Although the defendant won summary judgment against this claim for invasion of privacy—on the ground that the alleged disclosure was oral only and not reduced to a writing—the Court of Appeal reversed, holding that “disclosure in a writing is not required to maintain a cause of action for public disclosure of private facts.”67 4.9 Security of Personal Information 4.9.1 Potential liability for failing to secure personal information Businesses that collect the personal information of California consumers have an affirmative obligation to protect that information from unauthorized or illegal access, destruction, use, modification, or disclosure.68 Failure to implement reasonable security procedures and practices to protect such personal information can subject an employer to class action liability up to $750 per impacted employee per incident.69 Additionally, such failure can trigger administrative fines ranging from $2,500 for each violation to $7,500 for each intentional violation.70 Of note, the scope of this obligation is broader than the breach notice obligation (see § 4.9.2, immediately below). The affirmative obligation around reasonable security is for broadly defined “personal information.”71 Breach notice obligations only apply to “computerized data” that includes “personal information.”72Thus the “reasonable security” obligation applies to both off-line data as well as on-line data. Similarly, the monetary liability for failure to secure “personal information” will apply to both off- and on-line data. 4.9.2 Duty to provide notice of security breaches California businesses owning or licensing any computerized data including unencrypted (and, in some instances, encrypted) personal information must, upon breach of the security of that information, notify the affected persons “in the most expedient time possible and without unreasonable delay.”73 The items considered protected information include, but are not limited to, medical information, health insurance information, and genetic data (defined as “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material”).74 California mandates a special format for the notice to individuals affected by a breach.75 The notice must be in plain language and must be titled “Notice of Data Breach.”76 The notice must use at least 10-point font and include the following “clearly and conspicuously displayed” headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”77 The relevant statute also includes a template notice of breach that will “be deemed to be in compliance with” these format requirements.78 4.10 Personnel Records In a lawsuit, the personnel files of California employees are often unavailable to the party seeking them until (1) there is a notice given to the employees and (2) the employees have the opportunity to object in court to the disclosure of their files.79 Employee privacy rights have yielded, however, when respecting privacy rights would hinder the pursuit of a class action against an employer.80 Courts have permitted class-action counsel alleging wage and hour violations to obtain the name, address, and telephone number of every current and former employee belonging to the allegedly aggrieved class, so long as the employee did not, after receiving notice, object in writing to contact by plaintiffs’ counsel.81 In Belaire-West Landscape, Inc. v. Superior Court, the Court of Appeal rejected the employer’s suggestion to shield private employee information unless the employee affirmatively agreed to be contacted. Belaire-West reasoned that “no serious invasion of privacy” was involved, as
RkJQdWJsaXNoZXIy OTkwMTQ4