With data security concerns at an all-time high after the global “WannaCry” ransomware hack in May 2017, you may be wondering if you need to do more to protect your employees’ and customers’ personal information.
In Massachusetts, data security breaches can trigger extensive reporting requirements and corrective measures. To make things worse, employers that fail to implement proper data security protocols risk lawsuits from parties affected by the breach. A recent case from the Massachusetts Appeals Court highlights just why you need to be vigilant in your efforts to prevent improper access to, and use of, confidential data.
She Did What?!?
“Artemis” was employed as a customer service manager at Congress Auto Insurance. Because of her position, she had access to sensitive personal information, including records at the Registry of Motor Vehicles (RMV) and claims with Safety Insurance, which also insured her personal vehicle.
In 2010, Artemis and her boyfriend, “Dennis,” were arrested in Iowa after police found a stolen semiautomatic firearm, an unregistered firearm, ammunition, and a “half face” mask concealed in Artemis’ purse. Artemis admitted to law enforcement officials that the weapons were hers. She was released on bail and returned to work in Massachusetts.
A few months later, U.S. marshals arrested Artemis in Congress’ office, but she told her employer that the arrest was a “misunderstanding,” and the weapons belonged to her boyfriend. Congress didn’t investigate further because it didn’t consider the arrest “germane to her employment.” The indictment against her was ultimately dismissed in May 2012.
Seven weeks later, Dennis was involved in an accident with another motorist, “Miles,” while fleeing police in Artemis’ Mercedes. Miles filed a claim against Artemis’ insurance policy with Safety. In his claim, he identified Dennis and provided his contact information to Safety. Artemis also filed an insurance claim with Safety stating that Dennis had stolen her car. Then, using Congress’ computer portal, she accessed both her and Miles’ claims against Safety, which allowed her to obtain Miles’ name, address, date of birth, and cell phone number.
Artemis provided Miles’ name and cell phone number to Dennis, who called Miles, pretended to be a Massachusetts state trooper, and threatened to harm him if he didn’t fix the car himself and drop the insurance claim. When the state police later questioned Artemis in Congress’ offices, the company finally conducted an investigation. Despite the investigation, Congress didn’t restrict Artemis’ access to sensitive information for 4 months, when it finally fired her for misappropriating Miles’ confidential information.
Miles sued Congress for negligence based on its failure to safeguard his personal information. The lower court dismissed his claims, and Miles appealed.
An Ounce of Prevention . . .
In accordance with Massachusetts law, Congress has a data security plan in place to ensure the protection of Massachusetts residents’ personal information. Company policy also explicitly prohibits employees from using Congress’ resources to access or use a driver’s confidential information for personal or other inappropriate purposes. All employees are trained on the data security standards and sign an acknowledgment form indicating their familiarity with the data privacy requirements.
Congress periodically reminds employees about its data security policies at office meetings, and the company president regularly checks in with employees to emphasize the importance of data security. Congress also posts brightly colored signs near all employee computers to remind agents of their data security responsibilities.
The signs include warnings such as “Don’t discuss any policy coverage matters with anyone other than a named insured” and “Don’t . . . use our [computers] to access [information] for any purpose” outside “insurance work.” Finally, employees who access the RMV database through the Safety portal are required to electronically agree that they will use the accessed information only for one of four legitimate insurance-related purposes.
Worth A Pound of Cure?
With so many precautions in place, you might think it was a foregone conclusion that Congress would be able to avoid liability. Unfortunately, the Massachusetts Appeals Court didn’t agree and partially reversed the lower court’s dismissal, allowing some of Miles’ negligence claims to move forward.
To prove negligence, a person must show that (1) another party owed him a duty of care, (2) the party breached that duty, (3) there was a causal connection between the breach and harm, and (4) as a result of the breach, he suffered harm. The appeals court concluded that dismissal of the case was inappropriate because Miles had met the threshold for a negligence lawsuit against Congress.
In its defense, Congress argued that it didn’t owe Miles a duty of care because he wasn’t and had never been one of its customers and he never had any communication with the company. The appeals court disagreed, finding Congress had a legal duty to protect him from foreseeable misuse of his information by its employees.
The court drew an analogy between an employee who has electronic access to records and someone who has the keys to a house: Both parties have a duty to preserve security, and companies whose employees have access to confidential data have a duty to take reasonable measures to protect against the misuse of that data.
Next, Congress argued that it hadn’t breached the duty of care because the leaked information wasn’t “personal information” as defined by Massachusetts law. Under Massachusetts’ data security statute, “personal information” is defined as an individual’s first name and last name, or first initial and last name, plus his (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number.
The appeals court concluded that regardless of the statutory definition, it was still possible for a reasonable jury to find that Congress had negligently allowed Artemis access to Miles’ information.
The appeals court then took Congress to task, stating that a jury could conclude that the company didn’t act reasonably to protect Adam’s information. Congress may have breached its duty by allowing Artemis unrestricted access to confidential information, including information about her own insurance claims, and it may have breached its duty by failing to investigate her fitness for access to confidential information after her 2010 arrest, which took place inside its office.
In Massachusetts, an employer may be liable for negligence if it becomes aware or should have become aware of problems that indicated an employee was “unfit” for access to confidential information, but failed to investigate, terminate, or reassign the employee.
The duty to investigate is higher if there is a severe risk of harm to others. Here, the court concluded that Artemis’ broad access to confidential personal information heightened the potential risk that she posed to third parties. Therefore, Congress may have had a duty to investigate her fitness for access to such information when it first became aware of her criminal activity in 2010.
If Congress had conducted an investigation, it might have uncovered facts that called into question Artemis’ honesty and whether it was safe to allow her access to other people’s personal information. The company also might have determined that she wasn’t completely truthful with it, she had been arrested for possession of illegal firearms, and she was motivated to lie to protect her boyfriend, even to the extent that she would commit a crime.
In sum, the court concluded that Congress was aware of enough facts to indicate that Artemis was sufficiently untrustworthy to merit further investigation into her fitness for access to an expansive amount of sensitive personal information.
Congress also argued that even if it did owe Miles a duty, there was no connection between the harm he suffered and that duty. The company believed it shouldn’t be held liable because any harm to Miles was actually caused by Artemis and Dennis’ intervening criminal act—their use of improperly acquired information to threaten him.
Again, the appeals court disagreed, noting that the misuse of information in this case—threatening an insurance claimant—wasn’t so far outside the realm of possibility that it was “unforeseeable,” and the type of harm Miles claimed to suffer—emotional distress from the threat—wasn’t so “extraordinary” that Congress couldn’t have anticipated that it would be a possible consequence from the data breach.
Finally, Congress argued that Miles hadn’t alleged enough facts to show that he had suffered emotional distress from Dennis’ phone call. However, the appeals court noted that Miles alleged that he had been prescribed sleep medication after the call, had nightmares, and suffered worsening emotional and sleep problems as a result of the threat. The appeals court restored one count of his original complaint and allowed him to file an amended complaint on two other claims. Adams v. Cong. Auto Ins. Agency, Inc. (Mass. App. Ct., 2016)
Congress has appealed the Massachusetts Appeals Court’s decision to the Supreme Judicial Court, and because no trial has taken place, liability hasn’t been determined. Nonetheless, this is a cautionary tale for employers whose employees have access to sensitive personal information.
Congress was lucky it had a data security policy. Such policies are required of all Massachusetts employers, so if you don’t have a data security policy, you should immediately contact labor and employment counsel to develop one.
If you have a data security policy, you need to be sure to follow it to the letter, taking steps to protect sensitive information about customers and employees. That involves, at a minimum, regular review of your data security practices and procedures, coupled with adequate employee training.
Some companies layer their data security, giving the strongest protection and the least access to the most sensitive data; other companies purge unused or unnecessary data from their systems. If you gather and maintain particularly sensitive data (like the information maintained by healthcare providers), you might also contemplate hiring an outside vendor to conduct a “penetration test” of your security system, which will help you understand how much secured data a potential hacker may be able to access.
In connection with a data security policy, employers are also required to have a written information security plan (WISP). A WISP is a document that clearly explains, in plain language, each employee’s role and responsibilities if a breach occurs. You should conduct test runs of your WISP to practice what to do in case of a data security breach and to identify—and fix, if necessary—any potential problems in the policy and procedure.
Moreover, it’s critical to conduct a proper investigation if you learn an employee has committed a crime—especially when she has access to sensitive or confidential information. Limit the employee’s access to confidential information if your investigation reveals a crime that brings her trustworthiness, honesty, or integrity into question.
Finally, consider the scope of sensitive information that your employees have access to in the ordinary course of business and determine whether they really need that access to do their jobs or if more limited access would be appropriate. Be particularly vigilant when employees have access to sensitive information that pertains to themselves or their loved ones because it may create a conflict of interest.
The appeals court’s decision has a particularly significant impact for insurance agencies that allow their employees access to confidential information about insureds, claimants, or any other third parties. Insurance agencies may have an even higher duty of care than other companies, and they must put adequate data-protection rules into practice.
Insurers should also actively monitor the personal situation and personal integrity of employees with access to sensitive data, as well as periodically assess whether they can continue to have access to that information. As always, be sure to discuss questions about data security and related policies with an experienced labor and employment attorney.
|To learn more about how you can protect your company from a data security breach, join Usama Kahf, Esq. of Fisher Phillips, LLP and Lucas Amodio, (C|EH), Esq. of Armstrong Teasdale LLP as they copresent the breakout session—“Is Your TV Watching You? Cybersecurity Protection from the Internet of Things”—at the 22nd annual Advanced Employment Issues Symposium (AEIS), being held at the Paris Hotel in Las Vegas, November 15-17. Click here to learn more, or to register today.|
Stefanie M. Renaud is an associate at the firm of Skoler, Abbott & Presser, P.C and an editor of Massachusetts Employment Law Letter. Stefanie can be reached at 413-737-4753 or firstname.lastname@example.org.