No Common Law Duty to Safeguard Social Security Numbers
Despite increasing regulations on disclosure of personal information, an Illinois appellate court recently held that disclosure of the personal information of 1,750 employees was not negligent since there is no common law duty to protect personal information. While a strong dissent to the opinion may indicate the decision is likely to be overturned if appealed, employers should take note of the decision and the importance of knowing the disclosure laws in your state.
In Cooney, et. al v. Chicago Public Schools, et. al, a printing company was retained by the Board of Education of the City of Chicago to print and distribute a “Chicago Public Schools-COBRA Open Enrollment List” to over 1,700 former Chicago Public School employees. The list, received by each of the former employees between November 23, 2006, and November 27, 2006, contained the names of all 1,750 former employees and their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. The Board learned of the disclosure on November 26, 2006 and sent a letter to each former employee asking them to return the list or destroy it. On December 8, 2006, the Board mailed the former employees a letter offering one year of free credit protection insurance.
The former employees filed a class action lawsuit alleging violation of several state statutes, violation of the Health Insurance Portability and Accountability Act (“HIPAA”), and common law and statutory negligence, in addition to several other allegations. While the appellate court upheld the trial court’s dismissal on each allegation, the court’s approach to common law negligence is the one most likely to be repeated in other states.
In upholding the trial court’s dismissal on negligence, the court analyzed both state statutes and HIPAA and determined that there was no negligence because there was no applicable duty, either statutory or under common law, to safeguard the former employees’ personal information. Under HIPAA, the court held the exception for “employment records held by a covered entity in its role as employer” applied, and that since the Board was holding the former employees’ health insurance elections in its role as an employer, the disclosure fell outside HIPAA’s coverage. The dissent took issue with this analysis and drew a line between “holding” the records and actually “disclosing” them, and argued that the exception would not apply and the duty should exist under HIPAA.
So should we take away from the ruling? Most important, companies should know their state privacy laws and what steps to take in the event of a data breach. According to Privacy Rights Clearinghouse, between 2005 and August 2010, there were unauthorized disclosures of more than 500 million sensitive records. The methods of accidental disclosure can range from lost laptops to hackers, and no matter how thorough a company’s privacy practices, accidents can still happen. In Cooney, the Board was able to avoid liability under one particular state statute because they sent “timely notice” of the breach to the affected parties. Knowing the application requirements and having procedures in place to deal with a breach before it happens can help mitigate any negative consequences once a breach has occurred.