Employers should take employee concerns regarding data privacy and security seriously not only to protect information, but also because subsequent adverse action against employees complaining about security breaches could provide the basis for a whistleblowing/retaliation claim, says a national law firm.

Jackson Lewis reports that at least one New Jersey court held recently that an employee who voices concerns regarding data security is engaged in protected whistleblowing activity under the New Jersey Conscientious Employee Protection Act. The recent amendments to the Health Insurance Portability and Accountability Act of 1996 under the American Recovery and Reinvestment Act “are prime examples of the wave of regulation directed at protecting personal data,” the law firm says. “While fear of data breaches, reputational harm, litigation and penalties usually drive company executives to action, employee whistleblower and retaliation claims also must be added to this list.”

“An employee might express concern to his supervisor that the company provides no privacy training for employees with access to personal information, or that company laptops are not password-protected. An employee might even refuse to utilize certain information systems because of a belief, correct or incorrect, that the systems are not adequately safeguarded. An employee that subsequently experiences adverse employment action, such as the termination of employment, could claim the adverse action was in retaliation for complaints concerning the company’s alleged data security deficiencies,” the law firm says.