A postal workers union recently filed an unfair labor practice charge with the National Labor Relations Board over the U.S. Postal Service’s handling of a recent data breach. If successful, companies can add union negotiations to the already robust list of concerns companies must attend to during cyber-attacks. This is the first time a union has alleged that it has a right to negotiate with an employer over the benefit that an employer offers in connection with a security incident or breach.
Specifically, the union took issue with USPS’ offering employees affected by the incident one year of free credit-monitoring, a decision that the postal workers characterized as a unilateral change to wages, hours, and working conditions that an employer is not permitted to make without first bargaining with the union. According to the union, the employer failed to give advance notice “that would enable it to negotiate the impacts and effects” on employees of the cyber-attack that the USPS publically disclosed the same day the union lodged its charge.
Now that the union has brought the issue to the forefront, companies that experience security incidents that compromise data belonging to unionized employees will have to start factoring communications with the union into their already jam-packed response efforts, despite there being a clear conflict between the need to respond to data breaches quickly and the need to talk to the union. A realistic drawback to negotiating with the union over the types of products or services that may be offered to employees could also result in the breach being disclosed before the company has made a formal announcement, since the union would not be under any obligation to maintain the confidentiality of the information that it learns from the company.