Under Wisconsin law, employees must first be the victim of identity theft or other concrete, imminent harm to have standing to sue employer for data breach. Mere risk of future data misuse is not enough to establish standing.

Business owners and executives are well aware of the risk of data breaches given the proliferation over the past decade or so. Many times we think of data breaches in terms of customer information only. What is often less pondered is what happens when the data breach is not of your customers’ information but of your own employees? And, importantly, what kind of liability may the business face for a breach of its own employees’ data?

Wisconsin Requires Actual Harm in Data Breach Claims

A recent Wisconsin Court of Appeals decision, though unpublished, signals that there are limits to an employer’s liability in such situations. In Bauer v. Fincantieri Marine Group, LLC, 2025 Wisc. App. LEXIS 1028, *1, 2025 LX 537092, 2025 WL 3210945, the employer suffered a ransomware attack that subjected its own employees’ data to a breach. The employer’s investigation determined that its current and former employees’ data may have been viewed or collected during the breach and it provided notice to the affected individuals and offered free credit monitoring services.

A group of employees brought a class action lawsuit alleging claims for negligence, breach of contract, breach of fiduciary duty, and several other claims. The employer filed a motion to dismiss, arguing that the negligence claim should be dismissed for a lack of standing and the other asserted claims were subject to dismissal on other grounds. The trial court agreed and dismissed the complaint.

On appeal, the court of appeals held that all claims should be dismissed based solely on a lack of standing. The court explained that none of the employees experienced identity theft or other real, immediate harm from the data breach. Further, the mere increased risk of possible identity theft in the future was not enough to count as an injury under the law. As a result, all of their claims failed.

Importantly, the court juxtaposed the situation in Bauer to the situation in Reetz v. Advocate Aurora Health, Inc., 2022 WI App 59, ¶8, 405 Wis. 2d 298, 983 N.W.2d 669. In Reetz dozens of employees’ direct deposit information was changed by a cybercriminal to deposit their paychecks into the cybercriminal’s accounts and there were other allegations of fraudulent charges on accounts, overdraft fees, and the like, leading that court to find standing existed. The Bauer court drew the distinction that the allegations in Bauer amount to only a data breach resulting in an increased risk of potential future harm whereas in Reetz the employees suffered actual tangible injury to their interests.

Key Takeaways for Employers Responding to Employee Data Breaches

While Bauer is an unpublished decision, it nevertheless provides guidance as to where the line will be drawn by a Wisconsin court in future similar situations. It is unlikely employee data breach lawsuits will be allowed to proceed absent actual identity theft or concrete misuse of data.