A judgment by the National High Court opened up the possibility of applying a temporary layoff file as a company is compromised by a hack and cannot go on with its activity as usual.

On March 9, 2021, a routine morning at Spain’s State Public Employment Service (SEPE) turned into a day of chaos and confusion. A sophisticated ransomware attack Ryuk paralyzed its computer systems, blocking access to its website and halting the administration of unemployment benefits nationwide. The impact was immediate: thousands of delayed appointments and beneficiaries facing uncertainty about their benefits.
In the next days, SEPE technicians worked tirelessly to regain control. On March 11, they managed to partially reopen the web portal, and by March 15, the appointment system was operational again. However, it wasn’t until April 20, more than a month later, that the incident was considered fully resolved, although there was still work to be done.
This cyberattack not only exposed the critical vulnerabilities of a government entity, but also served as a warning about the potential labor and legal risks of such incidents in the business environment.
From a labor perspective, what happens by the time a company is compromised by a breach in its protection systems and cannot go on with its activity as usual?
The Judgment no. 37/2022 of the National High Court of 14 March 2022 addressed a case of Hack to an organization. Opposite to the criteria of the General Directorate of Employment and the Labor and Social Security Inspectorate, this judgement established that a cyberattack could be considered a case of force majeure to apply a temporary layoff file, as established in article 47.5 of the Workers’ Statute.
The classic concept of force majeure has been associated by case law with the existence of an event external to the circle of the company and completely independent of the will of the employer, which deepen into the idea of the extraordinary, catastrophic or unusual, normally unusual, and therefore, not reasonably foreseeable, being the disconnection between the harmful event and the area of action of the company, which explains and justifies the suspension of business activity.
Therefore, and in accordance with the judgment of the National Appellate Court, we understand that not every hack allows a temporary layoff due to force majeure to be carried out, but it does in situations where:
1. The computer attack, directed by third parties outside the entity, exceeds the predictability, avoidance, and control of the employer. In other words, the company’s security means, controls, policies and systems should be adequate to avoid this type of incident, as expected of an orderly and diligent employer. As the judgment states: “(…) It cannot be assured that a computer attack or the impact of a virus are totally unforeseeable circumstances (and neither can ransomware) (…). However, in this particular case, sufficient factors demonstrate that the level of business diligence to prevent this risk has been adequate.”
2. The company’s activity is mostly digital or a significant part of it is affected by the computer damage suffered.
3. The long-term effects of cyberattacks are the reason why the service cannot be provided normally, with warranty and security. This means that there is a causal link between the computer attack suffered by the company and the impossibility of effectively employing the employees.
4. It is applied only to the group of employees who cannot carry out their activity, in an absolute and objective way, nor can they be provided with effective employment because normality and computer security have not been restored.
5. In conclusion, the convergence of cyberattacks and the legal framework of force majeure temporary layoff opens up a field that is still slight explored, which requires greater focus and understanding. Becoming cybersecurity in an essential element for business continuity, it is essential that employment law adapts to the new complexities of this digital environment.
Companies must not only strengthen their IT security systems, but also thoroughly understand the legal consequences of cyberattacks in the workplace. A comprehensive understanding of this reality will allow for more effective preparation and a more accurate response in critical situations, which will allow both organizations and their employees to be safeguarded. Adapting to this scenario is not only a challenge of business resilience, but also a legal and ethical obligation that will shape the future of work in the digital age.
In a world where reliance on digital systems is increasing, companies and public entities are forced to navigate a sea of cyber risks. Accelerated digitalization and the increasing focus on information security have increased awareness of the need to protect data. However, this has also intensified the interest of hackers when accessing this information, underscoring the imperative need for adaptive employment law, capable of responding to the complex interactions between cybersecurity and employment law.

 

Leticia Valle

Labor and Employment Department of Garrigues