Wisconsin Signals Limitations on Employer Liability for Employee Data Breaches Amundsen Davis LLC JDSupra

pUnder Wisconsin law employees must first be the victim of identity theft or other concrete imminent harm to have standing to sue employer for data breach Mere risk of future data misuse is not enough to establish standingppBusiness owners and executives are well aware of the risk of data breaches given the proliferation over the past decade or so Many times we think of data breaches in terms of customer information only What is often less pondered is what happens when the data breach is not of your customers information but of your own employees And importantly what kind of liability may the business face for a breach of its own employees datappA recent Wisconsin Court of Appeals decision though unpublished signals that there are limits to an employers liability in such situations In Bauer v Fincantieri Marine Group LLC 2025 Wisc App LEXIS 1028 1 2025 LX 537092 2025 WL 3210945 the employer suffered a ransomware attack that subjected its own employees data to a breach The employers investigation determined that its current and former employees data may have been viewed or collected during the breach and it provided notice to the affected individuals and offered free credit monitoring servicesppA group of employees brought a class action lawsuit alleging claims for negligence breach of contract breach of fiduciary duty and several other claims The employer filed a motion to dismiss arguing that the negligence claim should be dismissed for a lack of standing and the other asserted claims were subject to dismissal on other grounds The trial court agreed and dismissed the complaintppOn appeal the court of appeals held that all claims should be dismissed based solely on a lack of standing The court explained that none of the employees experienced identity theft or other real immediate harm from the data breach Further the mere increased risk of possible identity theft in the future was not enough to count as an injury under the law As a result all of their claims failedppImportantly the court juxtaposed the situation in Bauer to the situation in Reetz v Advocate Aurora Health Inc 2022 WI App 59 8 405 Wis 2d 298 983 NW2d 669 In Reetz dozens of employees direct deposit information was changed by a cybercriminal to deposit their paychecks into the cybercriminals accounts and there were other allegations of fraudulent charges on accounts overdraft fees and the like leading that court to find standing existed The Bauer court drew the distinction that the allegations in Bauer amount to only a data breach resulting in an increased risk of potential future harm whereas in Reetz the employees suffered actual tangible injury to their interests ppWhile Bauer is an unpublished decision it nevertheless provides guidance as to where the line will be drawn by a Wisconsin court in future similar situations It is unlikely employee data breach lawsuits will be allowed to proceed absent actual identity theft or concrete misuse of datappSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Amundsen Davis LLC
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppJoin more than 70000 authors publishing their insights on JD SuprappBack to TopppExplore 2026 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp