How internal communications shape data breach liability for employers

Why internal communications matter during a data breach

When a data breach hits an employer’s systems, courts and regulators pay close attention to what the organization did after it discovered the incident, including how and when it communicated with affected individuals.  

The class action complaint filed by former employee Matthew Rumping against Hixson Holdings, Inc. is a clear example of how internal statements to workers can become central evidence of negligence and delayed notifications.

The complaint alleges that Hixson held highly sensitive employee and family information that was accessed during a detected cybersecurity incident in November 2024. After a lengthy investigation, Hixson sent breach notices nearly an entire year later. During that precious time between breach and notification to victims, the company allegedly told employees that their information had not been affected. Those alleged assurances, and the delay that followed, are at the core of the lawsuit.  

While it’s too early for the judge to rule on the case, the alleged incident is a teachable moment for businesses.  

“For companies that maintain employee Social Security numbers, health-insurance data, and payroll information, the best way to protect themselves from claims like those in the Rumping lawsuit is to show that they have a mature incident-response program that includes timely, accurate internal notifications to their own workforce,” said Jacey Kaps, a cybersecurity litigator with RumbergerKirk.  

“Courts look closely at whether an employer detected the incident promptly, communicated transparently with employees, avoided giving premature assurances, and issued notice as soon as the scope was confirmed. Even when the underlying incident is unavoidable, having a clear protocol for internal communications, a documented review process, and a commitment to correcting initial assessments with updated information goes a long way toward demonstrating reasonable care and reducing exposure under negligence and delayed-notification theories.”

What the Hixson complaint alleges about the breach

According to the complaint, Hixson is an architecture, engineering, and project management firm headquartered in Cincinnati, Ohio. As an employer, it collected and stored employees’ personally identifiable information and protected health information, including names, addresses, Social Security numbers, contact information, medical and insurance information, and payroll-related banking data.  

Timeline of events

The filing states that:

• On November 5, 2024, Hixson detected a cybersecurity incident affecting its computer network and hired external cybersecurity professionals to investigate.
• The investigation concluded on October 9, 2025, after identifying what information had been accessed and which individuals were affected.
• On October 31, 2025, Hixson filed a notice of data breach with the Massachusetts Attorney General and began sending letters to impacted individuals.  

Plaintiff Matthew Rumping is a former employee who says Hixson held personal information belonging to him as he provided data required for employment and benefits and personal data belonging to his family because they used the company’s health insurance.  

Rumping alleges that after the incident, he personally asked whether his and his family’s information had been compromised and was told it had not. He also alleges that Hixson held an in-person employee meeting in which workers were told the breach affected only clients, not employees.  

Despite those assurances, Rumping, his wife, and his minor child later received breach-notification letters informing them that their information was compromised in the same incident.  

How the complaint connects timing and harm

The complaint links the communication timeline directly to alleged harm. Rumping says he highly values privacy, stores physical documents securely, and uses strong, unique credentials for online accounts. He alleges that, to the best of his knowledge, his family’s information had never previously been involved in a data breach.  

After the incident, he and his wife spent time researching the breach and monitoring accounts. The complaint states that they experienced fraudulent charges on a joint checking account in March and September 2025, which led them to close debit cards and obtain new ones, and that they saw a noticeable increase in spam calls, messages, and emails.  

Categories of harm alleged

The lawsuit alleges:

• Lost time and money spent monitoring accounts and credit reports.
• Loss of privacy and the “benefit of the bargain”, the legal principle concerning contract fraud, including employment contracts, that protects the advantage a party may be entitled to if their contract was maintained as intended. Because Hixson did not adequately protect the information it required as a condition of employment, they may be liable for damages incurred by parties who expected their contract would protect the information they were required to disclose.
• Emotional distress tied to the combination of sensitive data exposure and earlier assurances that the data was safe.
• Ongoing increased risk of identity theft and fraud for years into the future.  

Whether the court ultimately agrees with these causation claims is a separate issue. The important point for employers is that plaintiffs in this case are connecting delays and inaccuracies in internal communication directly to their claimed harms. First they were told there was nothing to worry about, only to be later forced to fight fraud and identity theft attempts.

What the law expects on breach response and notification

The legal expectations around breach response comes from a combination of federal guidance and state statutes.

Federal expectations (FTC)

The Federal Trade Commission’s “Data Breach Response: A Guide for Business” instructs organizations that have experienced a breach to quickly secure systems, investigate what happened, and notify appropriate parties, including affected individuals, as soon as possible once it’s discovered that personal information may have been exposed. The guidance tells businesses to provide accurate information about what is known, what the organization is doing, and what steps people should take to protect themselves.

State-level requirements

At the state level, data breach notification laws now exist in all 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam. An academic article in the Chapman Law Review notes that these laws typically require notification “without unreasonable delay” once a company determines that personal information has been compromised, although exact timelines and triggers vary by jurisdiction.

Recent empirical and doctrinal work on breach-notification laws point out that these statutes have two primary purposes. They are meant to enable individuals to mitigate harm by taking timely protective steps, and to create incentives for organizations to improve data security and response practices.  

Taken together, the FTC guidance and state statutes establish a basic expectation: once an organization has reason to believe that sensitive personal information has been accessed by an unauthorized party, it should investigate promptly and notify affected individuals without unreasonable delay, giving them information they can use to protect themselves.

The Rumping complaint alleges that Hixson detected a breach in early November 2024, completed its review in October 2025, and sent notices at the end of that month. Whether that sequence is considered reasonable under applicable law will depend on the particular state statutes and facts the court applies.  

How internal communications affect liability

Hixson’s internal communications to affected users are a factual record of what the company believed and told people at various times.

The complaint alleges that Hixson:

• Had employee and dependent data in its systems at the time of the incident.
• Knew a cybersecurity event occurred on November 5, 2024.
• Told employees their information was not affected.
• Later sent those same employees breach notices tied to the same incident.  

Those allegations support several of the legal claims asserted in the case, including negligence, negligence per se (based on alleged violations of FTC Act Section 5 and data security standards), breach of implied contract, unjust enrichment, and breach of confidence.  

This description aligns with what appears in publicly available guidance and commentary. The FTC emphasizes organizations strive for speed, accuracy, and consumer-focused in breach-related communication. Academic work on notification laws highlights that courts examine whether an organization’s response allowed individuals to act in time to mitigate harm and whether the company’s conduct was reasonable given what it knew and when it knew it.  

In that context, internal emails, meetings, FAQs, and talking points can all become evidence of the organization’s knowledge and its decisions about what to tell employees.

Lessons for employers managing employee and dependent data

Most employers in the United States host and maintain the same categories of employee data at issue in the Rumping complaint. Payroll systems, benefits platforms, dependent coverage, and direct deposit all require sensitive information. The core lessons from this case and from the broader legal landscape are summed up in three practical concepts.

First, breach detection and investigation cannot be separated from communication. Regulators expect organizations to investigate quickly, but state laws do not usually permit unlimited delay while every detail is resolved. The point of “without unreasonable delay” is to ensure that people whose information has been exposed have a meaningful chance to protect themselves.  

Second, premature assurances are risky. If an employer tells employees that their data is not affected, and that statement later proves wrong, plaintiffs will point to the gap between the assurance and the eventual notice as evidence that the company failed to act reasonably.

Third, corrections matter. If new forensic or logging data shows that earlier assessments were incomplete, employers need a defined process for updating internal and external communications. That is consistent with the FTC’s guidance, which contemplates ongoing investigation and further communication as new details emerge.  

The Rumping lawsuit is one example, but it sits within a broader environment where regulators, courts, and scholars are all paying attention to the same themes: timing, accuracy, and the ability of individuals to mitigate harm once a breach occurs.

Breach-response checklist for any organization

Incident detection and containment

• Confirm that a cybersecurity incident has occurred and record the date, time, and method of discovery.
• Secure affected systems, isolate compromised devices, and begin forensic analysis.

Investigation and documentation

• Identify what data types were potentially accessed, including employee and dependent information.
• Determine which systems held that information during the incident window.
• Document key findings and decisions throughout the investigation.

Internal communications

• Inform appropriate internal stakeholders when there is a reasonable possibility that personal information has been accessed.
• Communicate clearly what is known, what is unknown, and what steps are under way.
• Avoid categorical statements that specific groups are unaffected unless that conclusion is supported by evidence.

Notification to affected individuals

• Provide initial notice when investigation results indicate that sensitive information was likely accessed, consistent with state “without unreasonable delay” standards.
• Follow up with more detailed notice as the scope becomes clearer, including what information was involved and what actions individuals can take.
• Update notices and internal FAQs if new facts change the understanding of who was affected.

Post-incident remediation and review

• Strengthen access controls, monitoring, and data handling practices identified as weak points during the incident investigation.
• Review and revise the incident response plan based on lessons learned.
• Conduct training so future internal communications follow a defined, documented process.

Breach-response checklist for organizations using ThreatLocker

Containment using zero trust and least privilege

• Apply default-deny policies to stop unauthorized applications from running on endpoints and servers.
• Use Ringfencing™ to limit how authorized applications interact with sensitive data stores.
• Stop new or unknown executables that appear during the incident window until they are reviewed.

Using ThreatLocker telemetry for investigation

• Review audit logs for the timeframe around the incident to identify which applications and processes accessed HR, payroll, or benefits systems.
• Analyze denied applications, privilege elevations, and network traffic to see which attempted behaviors were blocked, including access to sensitive data locations.
• Map user accounts and devices associated with suspicious behavior to understand potential employee impact.

Evidence-based internal communications

• Use ThreatLocker reports and audit log exports to inform internal updates, so statements about affected systems and users are grounded in recorded activity.
• Avoid blanket assurances that employee data was not involved until log and forensic data support that conclusion.
• Issue corrected internal messages if additional ThreatLocker logs later show that more systems or users were involved.

Notification workflow

• Integrate ThreatLocker findings into the list of potentially affected individuals and systems, to support timely and accurate notification decisions.
• Document how ThreatLocker telemetry informed the determination of who was at risk and when that determination was reached.

Post-incident hardening with ThreatLocker

• Create or tighten policies around access to HR, benefits, and payroll applications and databases.
• Add new application controls to block the tools and techniques observed in the attack.
• Use ThreatLocker dashboards and reports to verify that all new controls are in place and working as intended.

Handled this way, a breach is still a serious event, but the organization is in a much better position to show that it followed recognized guidance, complied with notification laws, and treated employees’ information with appropriate care.

Frequently asked questions

Why do internal communications matter in a data breach?

Courts view internal statements as evidence of whether the organization acted reasonably. Any inaccurate or premature assurances can support negligence claims.

What does “without unreasonable delay” mean in breach laws?
 
It means organizations must notify affected individuals as soon as they reasonably believe sensitive information was accessed, even if the investigation is still ongoing.

How can an employer reduce breach-related liability?
 
By maintaining a documented incident-response plan, avoiding premature statements, updating employees as new findings emerge, and following FTC and state notification guidance.

Why do employees sue after delayed notification?

Plaintiffs argue that delays reduce their ability to protect themselves from fraud, which may increase damage claims such as financial loss, time spent, and emotional distress.

How does ThreatLocker support breach readiness?

ThreatLocker logs, Zero Trust controls, and evidence-based reporting help organizations assess affected systems accurately, contain risk, and support timely notification decisions.