The National Labor Relations Board (NLRB) may be yet another new sheriff in town (in addition to all the other sheriffs such as the FTC, FCC, SEC, OCR, OIG, state AGs, etc.), poised to box the ears of data breach “scofflaws” with expensive, time-consuming, conflicting and perhaps impossible-to-comply-with requirements related to computer security incidents.
Although most of the pleadings on the relevant NLRB docket are retrievable only via Freedom of Information Act request and thus do not inform this blog post, the pleadings that are available via the docket reveal that the American Postal Workers Union, the National Association of Letter Carriers and the National Rural Letter Carriers Association are claiming that the United States Postal Service violated the National Labor Relations Act (NLRA) by failing to collectively bargain with the postal workers unions before implementing a response plan related to a data breach last fall. See NLRB Case Nos. 05-CA-140690, 05-CA-143686, 05-CA-140896, 05-CA-141248. The unions claim that the plan, including provision of one year of free credit monitoring to the data subjects, should not have been implemented without collective bargaining because the plan implicated wages, benefits and/or working conditions regulated under the NLRA.
It of course remains to be seen how this NLRB proceeding ultimately plays out. But if data breaches involving unions implicate the NLRA, unionized companies are in for a whole new level of pain in attempting to comply with data breach laws that require notification, in some instances, in as few as five days after discovery.