On August 16, 2022, HanesBrands, Inc. (“Hanes”) reported a data breach with various state government entities after the company experienced a ransomware attack. According to Hanes, the breach resulted in the names; dates of birth; financial account information; driver’s license numbers; passport information; Social Security numbers; and other employment-related information being compromised. After confirming the breach and identifying all affected parties, HanesBrands began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the HanesBrands data breach, please see our recent piece on the topic here.
What We Know About the HanesBrands Data Breach
The information about the HanesBrands, Inc. data breach comes from various company filings with state government entities. According to the most current information, on May 24, 2022, Hanes learned that the company was the victim of a ransomware attack. In response, Hanes secured its servers, contacted law enforcement, and retained the services of an outside cybersecurity firm to assist with the company’s investigation.
As a result of this investigation, Hanes confirmed that an unauthorized party was able to access certain files on the company’s computer network containing sensitive employee data.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, HanesBrands began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your contact information; date of birth; financial account information; government issued identification numbers such as driver’s license numbers, passport information and social security numbers; and other information related to benefits and employment, including certain limited health information provided for employment-related purposes.
On August 16, 2022, HanesBrands sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About HanesBrands, Inc.
Established in 1901, HanesBrands, Inc. is a manufacturer, designer and retailer based in Winston-Salem, North Carolina. The company produces and markets a wide range of basic apparel for men, women and children, including underwear, sweatshirts, T-shirts, socks, sleepwear, pants and slippers. HanesBrands employs more than 59,000 people and generates approximately $7 billion in annual revenue.
Can Employees Hold Employers Liable for Data Breaches Affecting Their Information?
Yes, as an employee, you may be able to pursue a legal claim against your employer if your information was leaked as a result of a data breach. However, just because a data breach occurred does not necessarily mean that an employer was responsible. Typically, employees must prove that their employer was negligent and that they suffered harm as a result of the breach before being able to recover financial compensation after a data breach.
As is the case with most negligence cases, proving a data breach claim requires employees to prove, 1.) the company owed them a duty of care, 2.) the company violated the duty owed to employees, and 3.) the company’s breach of this duty caused or contributed to the data breach.
While proving the elements of a data breach case may seem straightforward, that is not necessarily the case. While all employers owe a duty to keep employees’ personal, financial and healthcare-related information safe, whether a company violated that duty is often less clear.
Additionally, employers often place blame for a breach on the third-party criminal actor who orchestrated the attack, which can make meeting the “causation” element challenging. Of course, just because a criminal actor carried out the attack doesn’t mean that an employer is immune from liability. Employers have a legal duty to implement adequate data security systems to protect employee data. And whether an employer’s data-security measures are sufficient can be called into question.
When it comes to “damages” in a data breach lawsuit, the most common types of damages relate to identity theft and other frauds committed against victims. However, courts may permit data breach victims to proceed with a case even if they have not yet fallen victim to identity theft or fraud to recover damages. These courts have held that the increased risk of identity theft in the future is sufficient to recover damages.
Victims of a data breach involving their employer should reach out to a dedicated data breach lawyer for assistance.