Apr 242017

Federal Judge Finds No General Obligation for Companies To Protect Employee Data

Edward R. McNicholas and Fran Faircloth
, , ,

In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands.

Judge Leeson ruled that the section of Coca-Cola’s Code of Conduct titled “Coca-Cola Enterprises’ Responsibilities to Employees” was the only portion of the Code that was enforceable against the company. That portion of the contract represented that the company would “safeguard the confidentiality of employee records” in three specific ways: (1) by advising employees of files maintained on them, (2) by collecting only data that was related to the purpose for the files, and (3) by allowing only authorized employees to use the file for “legitimate Company purposes.” Judge Leeson found that the three specific obligations that bound Coca-Cola did not create a more general obligation to safeguard its employees’ personal information, as Mr. Enslin claimed.

Judge Leeson also found that Coca-Cola’s more “detailed information security policies” outlining how employees must handle sensitive information was “for the purpose of protecting the company from harm” and not “the employees’ benefit” and consequently denied the class certification motion as moot. In doing so, Judge Leeson cited two other data breach cases—Dittman v. UPMC, 2017 WL 117652 (Pa. Super. Ct. Jan. 12, 2017), and Longenecker-Wells v. Benecard Services Inc., 658 F. App’x 659, 662 (3d Cir. 2016). In both of those cases, the courts held that Pennsylvania law does not impose a general duty on organizations to safeguard employee information.

By finding no general obligation to protect employee information, courts have pushed this question back to the state legislatures to decide whether that is an obligation that they want to place on companies by law. Forty-eight states currently have data breach laws and many states have information security statutes, but absent such legislation, employees who file class-action suits must provide clear evidence of negligence or wrongdoing.

The plaintiff has indicated that he plans to seek reconsideration of the ruling and, if necessary, appeal the ruling to the Third Circuit.

Edward R. McNicholas

emcnicholas@sidley.com

Fran Faircloth

ffaircloth@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1