Federal Judge Finds No General Obligation for Companies To Protect Employee Data
In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands.
Judge Leeson ruled that the section of Coca-Cola’s Code of Conduct titled “Coca-Cola Enterprises’ Responsibilities to Employees” was the only portion of the Code that was enforceable against the company. That portion of the contract represented that the company would “safeguard the confidentiality of employee records” in three specific ways: (1) by advising employees of files maintained on them, (2) by collecting only data that was related to the purpose for the files, and (3) by allowing only authorized employees to use the file for “legitimate Company purposes.” Judge Leeson found that the three specific obligations that bound Coca-Cola did not create a more general obligation to safeguard its employees’ personal information, as Mr. Enslin claimed.
Judge Leeson also found that Coca-Cola’s more “detailed information security policies” outlining how employees must handle sensitive information was “for the purpose of protecting the company from harm” and not “the employees’ benefit” and consequently denied the class certification motion as moot. In doing so, Judge Leeson cited two other data breach cases—Dittman v. UPMC, 2017 WL 117652 (Pa. Super. Ct. Jan. 12, 2017), and Longenecker-Wells v. Benecard Services Inc., 658 F. App’x 659, 662 (3d Cir. 2016). In both of those cases, the courts held that Pennsylvania law does not impose a general duty on organizations to safeguard employee information.
By finding no general obligation to protect employee information, courts have pushed this question back to the state legislatures to decide whether that is an obligation that they want to place on companies by law. Forty-eight states currently have data breach laws and many states have information security statutes, but absent such legislation, employees who file class-action suits must provide clear evidence of negligence or wrongdoing.
The plaintiff has indicated that he plans to seek reconsideration of the ruling and, if necessary, appeal the ruling to the Third Circuit.