Data Breach Class Action Filed for Negligence Related to Stolen Laptop

December 14, 2006

Jackson Lewis

http://www.jacksonlewis.com/legalupdates/article.cfm?aid=1039



The emergence of a number of state laws aimed at protecting sensitive personal information and curbing the explosion of identity theft is beginning to have a foreseeable effect on workplace litigation. Such statutes are leading to negligence lawsuits filed by employees against their employers for failing to take appropriate measures to protect the computer databases, company laptops, and other repositories of confidential and personal information. These negligence claims have the potential to create significant exposure for employers, especially those that have not taken tangible steps to safeguard sensitive information.

Many states, including California, have passed laws generally requiring that where there has been an unauthorized breach of certain personal information, the owner of that information must notify the individuals affected. See, Cal. Civ. Code § 1798.82. Additionally, many states now have laws that require entities that own or maintain personal information to implement reasonable security safeguards to protect the information from, among other things, unauthorized access. See, e.g., Cal. Civ. Code § 1798.81.5(b). (See, Responding to a Breach of Company Electronic Personal Information: Breach Notification Laws and Preventive Strategieshttp://www.jacksonlewis.com/legalupdates/article.cfm?aid=1001, and related articles on protection of Social Security numbers personal employee information, at www.jacksonlewis.com.)

While such laws attempt to address the growing problem of identity theft and the need for protection of personal information, they also increase an employer's risk of being sued, as illustrated by a class-action lawsuit filed in California in December 2006 against a multi-national corporation. A former employee of a subsidiary of the corporation has claimed that a laptop stolen from a hotel room resulted in the theft of unencrypted personal information on 50,000 current and former employees. [ Mannacio v. General Electric Co., Cal. Super. Ct., CV-065227 (Dec, 5, 2006).]

The complaint acknowledges that the company sent notice of the breach to all current and former employees whose personal information was on the stolen equipment. According to the complaint, the notice informed affected individuals that the laptop contained their names and Social Security numbers. News accounts of this incident report that the date and location of the theft were not disclosed because of the on-going criminal investigation. This delay in reporting appears to be consistent with the California data breach notification statute which has no content requirements for the notice and provides that the notification 'may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.' Cal. Civ. Code § 1798.82(c). There also are reports that affected employees were offered one free year of identity-theft and credit-protection monitoring service.

Nonetheless, the complaint against the company alleges that the notice was inadequate because it did not provide sufficient information about the disclosure to enable those affected to protect themselves from improper uses of the stolen information. The plaintiff also claims that by maintaining this information on a portable laptop and external hard drive, in an unsecure location, and failing to encrypt the information, reasonable safeguards were not in place to protect the information from an unauthorized breach. In addition to asking the court to order full disclosure of the types of information that could have been accessed, the plaintiff seeks compensation for all members of the class for costs they incur resulting from the disclosure, as well as costs related to reasonable measures they will need to take to protect against identity theft. These damages could be substantial especially in the event some of the information is used to commit identity theft.

Additionally, although there is no indication of this in the complaint, the stolen information could include 'protected health information' under the privacy and security regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). While there is no private right of action under HIPAA, civil penalties could be awarded if complaints are filed and regulatory violations are found to have occurred.

Employers across the country will be watching this litigation as it moves through the judicial process and potentially to a jury. A verdict against this employer could have far reaching effects either under similar laws requiring reasonable safeguards or general principles of negligence, as alleged here. Moreover, the circumstances surrounding the theft of this laptop easily could happen anywhere in the world as advancements in technology have made it possible to carry vast amounts of information in a small laptop computer, PDA, blackberry or other electronic device. What most employers and employees fail to realize is that whoever has that laptop - whether authorized to do so or not -- potentially has access to that information.

Protecting the collection and maintenance of personal and confidential employee information rapidly is becoming an area of significant exposure to risk for all employers. Human resources management and other corporate repositories of personal and confidential employee information should inventory the data they maintain and evaluate the safeguards in place to protect against its breach, theft, and other unauthorized access and use. While no employer can provide absolute assurance against a security breach, taking reasonable steps now to protect the privacy and data security of that information will help not only to avoid such an incident but to defend allegations of negligence and failure to comply with applicable federal and state laws.

Jackson Lewis will continue to monitor the progress of this and other cases, as well as the development of federal and state law in this area. If you have any questions regarding this case or any other workplace privacy or employee benefits questions, please contact the Jackson Lewis attorney with whom you regularly work, or Joseph Lazzarotti with the HIPAA and Workplace Privacy Practice Group, at (914) 514-6107, lazzarottij@jacksonlewis.com.


main page ATTRITION feedback