In September 2017, Equifax announced that hackers had gained access to the confidential information of more than 145 million consumers, almost half of the U.S. population. The Equifax incident was a game changer due to the volume and sensitivity of the consumer information that was stolen, including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

Recent cases suggest that employers could be subject to liability when one of their employees causes a data breach by either knowingly or negligently revealing sensitive employee or customer data. In March 2016, for example, Sprouts Farmers Markets became the victim of a cyberattack when an employee in the payroll department responded to an email that appeared to come from a Sprouts senior executive requesting Forms W2 for all employees. The employee sent the forms, which contained employees’ names, Social Security numbers, salaries, mailing addresses and other personal data. The affected employees brought lawsuits in multiple districts, which were consolidated and then stayed pending a decision in a U.S. Supreme Court case addressing whether individual arbitration agreements signed by each of the employees precluded a class action in In re Sprouts Farmers Market, Employee Data Security Breach Litigation, No. 2:16-MD-02731 (May 24, 2017).