Quantcast
Home / News / Insurance carrier not liable for theft of personal data

Insurance carrier not liable for theft of personal data

Employee accessed database, passed on info to her boyfriend

1222neih_6_personaldataAn insurance agency could not be held liable for an employee who allegedly accessed an accident victim’s personal contact information from a database and passed it on to her boyfriend, a Massachusetts Superior Court judge has decided.

The employee’s boyfriend purportedly used the contact information to intimidate the man into dropping a claim stemming from a car accident the boyfriend had caused.

The defendant agency argued that in order to bring a claim against an insurance company for failing to safeguard confidential information, the plaintiff — who was not one of the agency’s customers — needed expert testimony that the company’s data protection efforts were out of line with procedures at other similarly situated agencies.

Judge Peter B. Krupp agreed.

“Practices and policies for maintaining, and governing access to, confidential information in the insurance business are not matters of common knowledge or experience,” Krupp wrote, granting the defendant’s motion for summary judgment. “[The plaintiff] therefore must bring forward qualified expert testimony to proceed on his negligence claim. He has not done so.”

Krupp also granted summary judgment for the defendant on the plaintiff’s claim that the agency had negligently hired and retained the employee, who had faced a federal weapons charge several years earlier. The charge was resolved without a guilty finding or plea.

“The fact that [the employee] was charged with possession of a firearm with an obliterated serial number does not support [the plaintiff’s] bare assertions that [the employee] was unfit to handle sensitive, confidential information she regularly accessed in furtherance of her job duties,” Krupp said.

The 11-page decision is Adams v. Congress Auto Insurance Agency, Inc..

Policy considerations

Defense counsel Jeffrey S. Robbins of Boston said the ruling is important because relatively little case law exists on the issue of negligence liability when data is used in impermissible ways.

“This case stands for the proposition that if bad things happen despite reasonable care exercised by a party, there won’t be any liability,” said Robbins, who practices at Mintz, Levin, Cohn, Ferris, Glovsky & Popeo. “This is very meaningful in the case of data maintenance, where there are so many possibilities out there for data being misused.”

The decision also reinforces a public policy against holding an employer liable for the misdeeds of an employee based solely on the fact that the employee has a criminal record, Robbins said.

“There are plenty of people who have criminal records, and this doesn’t even involve someone with a criminal conviction, but someone who was simply charged and not found guilty,” he said. “This is a fact pattern that one can imagine repeating itself untold times around the commonwealth for obvious reasons. So this case is really quite significant in that it joins a relatively small body of cases analyzing when and under what circumstances you can hold an employer liable when an employee with a criminal record does something to a third party.”

Thomas F. Maffei, who handles complex business litigation at Sherin & Lodgen in Boston, said while the enormous amount of electronically stored data has heightened privacy concerns and increased the potential exposure of companies to claims like the ones in Adams, Krupp got it “exactly right.”

Unless there is some reason to think an employee is likely to breach confidentiality, there really is no basis to bring such a claim against an employer, said Maffei, who was not involved in the case.

“Otherwise, employers would be strictly liable for whatever their renegade employees do,” he said. “In this case, it’s an even tougher case to make because this breach didn’t involve [the data of] one of the employer’s own customers.”

At the same time, Maffei said, companies need to be vigilant about protecting the data they store. In fact, arguments can be made that companies should be held strictly liable for data breaches as part of the cost of doing business in today’s world.

“That is certainly likely in the case of a company’s own customers,” Maffei said. “Extending it to perfect strangers might be a stretch.”

Jonathon D. Friedmann, a Boston business litigator with experience in data breach cases, said the decision also is compelling in light of the nature of the underlying facts.

“I applaud the judge for deciding the case based on the law and not getting embroiled in the inflamed factual scenario,” the Rudolph Friedmann attorney said. “So many times judges are reticent in issuing summary judgment when you have inflammatory facts, despite the potential for the jury to wander off the reservation regardless of whatever instruction the judge may give.”

John E. Sutherland of Brickley, Sears & Sorett in Boston represented the plaintiff. He could not be reached for comment prior to deadline.

Misuse of data

Defendant Congress Auto Insurance Agency hired Elizabeth Burgos as a customer service representative in 2003 and promoted her to office manager in 2010.

That year, Burgos and her boyfriend, Daniel Thomas, were on vacation in Iowa when they were stopped for speeding. A vehicle search turned up two loaded handguns in her pocketbook, a box and a half of ammunition, and a receipt for additional ammunition. One of the weapons had a serial number removed, and the other weapon was stolen.

Burgos admitted that both weapons were hers. She and Thomas were arrested, and she ultimately was indicted in federal court. The case was resolved with a diversionary disposition that did not result in a guilty plea or finding.

Congress Auto Insurance, which found Burgos’ job performance to be excellent and which never received a complaint about her reliability, honesty or professionalism, kept her on despite the criminal charge.

Two years later, on July 13, 2012, Thomas was in Burgos’ car, speeding without a license, when he ignored the efforts of state police to pull him over. He ended up hitting a car driven by plaintiff Mark Adams.

On July 24, Burgos’ auto insurer, Safety Insurance, took a statement from Adams, which included his contact information.

Burgos, who was authorized to access Safety’s electronic databases through her work at Congress Auto Insurance, allegedly accessed the databases on July 25 and 26 and discovered that Adams had filed a claim in conjunction with the accident. She allegedly took his contact information from the database and gave it to Thomas.

On July 26, Thomas allegedly called Adams and, impersonating a state police officer, made threats in an effort to get him to drop the claim and agree not to identify the person who struck his vehicle.

Saying he suffered emotional distress as a result of Thomas’ call, Adams sued Congress Auto Insurance in Superior Court, claiming that the agency negligently failed to protect his confidential information and that it negligently hired, retained and supervised Burgos.

The defendant moved for summary judgment.

Insufficient facts

Krupp found that Adams alleged insufficient facts to support a claim that Congress Auto Insurance had negligently failed to protect his personal information.

“[W]hether Congress owed a duty to Adams to safeguard personal information it was authorized to access through Safety’s databases, what that duty entailed, and whether Congress breached that duty (i.e. whether Congress was under a duty to Adams to do more than it was doing to safeguard confidential information), are all matters requiring expert testimony,” the judge said, likening the situation to cases involving an insurer’s alleged failure to comply with a contractual duty to defend.

In both cases, the standard of reasonable care for an insurer lies outside the common knowledge of the ordinary layperson, Krupp stated.

Without expert testimony, he continued, Adams “offers no evidence from which a jury could reasonably find what the standard of care was in the industry at the time, and whether Congress breached that standard of care.”

Similarly, Krupp found that the plaintiff’s complaint could not support his negligent hiring, retention and supervision claim.

Burgos’ criminal history, which entailed no conviction, was unrelated to the conduct at issue in the case, he said.

Additionally, “[t]he suggestion that ‘an employer can never hire a person with a criminal record or retain such a person as its employee “at the risk of being held liable for [the employee’s torts] flies in the face of the premise that society must make a reasonable effort to rehabilitate those who have gone astray,”’” Krupp said, quoting the Appeals Court’s 1988 decision in Foster v. The Loft, Inc.

Accordingly, he concluded that the defendant was entitled to summary judgment on both counts.

Leave a Reply

Your email address will not be published. Required fields are marked *

*