Data security concerns are at an all-time high. Just a few years ago, this article suggested nearly 70% of Americans were afraid their information would be stolen by hackers (while only 18% feared being murdered). No doubt, recent reports discussing election-related hacking and the seemingly endless release of secret information by WikiLeaks have us even more frightened over digital security.
Employers need to be vigilant in their efforts to prevent improper access to and use of confidential data. Data security breaches can trigger extensive reporting requirements and corrective measures under state and federal law. To make things worse, employers who fail to implement proper data security protocols risk lawsuits from parties affected by the breach. A recent case from the Massachusetts Appeals Court highlights this danger.
In Adams v. Cong. Auto Ins. Agency, Inc., 90 Mass. App. Ct. 761 (2016), an employee with access to sensitive information about insurance claims disclosed confidential data to her boyfriend, Daniel Thomas. The employee, Elizabeth Burgos, worked as a Customer Service Representative for Congress Auto Insurance. Back in 2010, Burgos and her boyfriend were arrested after police found a stolen semi-automatic firearm concealed in Burgos’ purse. Burgos admitted to law enforcement the weapon was hers. Congress Auto Insurance later found out about the incident, but Burgos told her employer it was a “misunderstanding” and the weapon belonged to Thomas. The employer did no further investigation.
A few years later, Thomas was involved in an accident with a motorist, Michael Adams, who subsequently filed an insurance claim against Thomas. Burgos used her access to Congress’ database to obtain personal information about Adams, including his cell phone number, and gave the information to her boyfriend. Thomas then called Adams and threatened to hurt him if he did not drop the insurance claim. Following an investigation, Congress fired Burgos for misappropriating Adams’ confidential information.
Unfortunately for Congress, the story didn’t end there. Adams subsequently sued Congress for negligently failing to safeguard his personal information. The lower court dismissed this claim, but the Appeals Court reversed. The Appeals Court concluded dismissal was premature because Adams could succeed at trial under two possible theories: (1) allowing Burgos unrestricted access to confidential information unnecessary for her job; and (2) failing to investigate Burgos’ fitness for access to confidential information.
What’s the takeaway for employers? First off, now more than ever businesses need to implement practices and procedures geared toward protecting sensitive information about customers and employees. This involves, at a minimum, regular review of data security policies and procedures coupled with adequate employee training. Second, employers need to remember to do a proper investigation when they learn crimes are committed by employees—especially when such employees have access to sensitive and/or confidential information. Employers should consider limiting access to confidential information if the investigation reveals a crime undermining trustworthiness was committed.