Courts Take Opposing Approaches to Data Security 17:46, June 14, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Courts Take Opposing Approaches to Data Security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Are you confident that your employees know the value of your organization’s sensitive information and treat it with the requisite respect? Two recent employment law court cases with polar opposite consequences illustrate the need for data security vigilance and strong data protection measures to keep confidential information secure.

Prison Breach

Bernice Forrester, an employee of the medical facilities at Riker’s Island prison, sent herself nine separate emails containing confidential data about prisoner names, locations, and gang affiliations, as well as protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA). The Department of Corrections (DOC) discovered the online security breach and suspended Forrester’s security clearance, effectively terminating her employment at the prison.

Forrester denied forwarding herself the emails, but did state that she had sent herself other work-related emails to retain as evidence of mistreatment. She later sued for violations of the Americans with Disabilities Act (ADA) for alleged discrimination based on her disability, diabetes.

The Court found neither evidence of disability discrimination, nor any “record evidence to support Forrester’s theory that the emails were deliberately planted [as a pretext for discrimination] in an effort to fire her.”

“As a result of this breach,” wrote the Court, “the [DOC] indefinitely suspended Forrester’s security clearance. Without a valid security clearance, Forrester could not work on Riker’s Island, and her employment was terminated.”

“The loss of [Forrester’s] security clearance is a legitimate, nondiscriminatory ground for Defendants’ decision to terminate her employment,” the Court concluded. Forrester v. Prison Health Servs. (2nd Cir. 2016) no. 15-1098-cv. See also: Forrester v. Prison Health Servs. (EDNY 2015) no. 12-CV-363 (NGG) (LB)

Reasonable Access & Disclosure Protected

A lawyer named Kamee Verdrager believed that the Boston law firm she worked for—Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, PC (Mintz)—was discriminating against her due to her gender in violation of Massachusetts law. In need of evidence, Verdrager searched for and made copies of confidential work documents to share with her attorney.

Mintz learned what Verdrager had done and terminated her employment for violating the firm’s confidentiality policy, which stated that documents “shall not be removed from the office or used for any reason other than the delivery of services on behalf of the firm.”

In the ensuing gender discrimination lawsuit, Mintz denied Verdrager’s claims, arguing that it had fired her for accessing and sharing confidential information. Verdrager protested that accessing and providing the documents to her attorney was a protected activity under state law, and therefore was not a reason to fire her.

The Court held that “an employee’s accessing, copying, and forwarding of documents may, in certain limited circumstances, constitute protected activity, but only where her actions are reasonable in the totality of the circumstances [such as how the employee accessed and used the document, the employer’s data protection policy, and whether the access and disclosure furthered the purposes of the Massachusetts anti-discrimination laws].”

In short, the Court left open the possibility that Verdrager’s document-disclosing activities were legally protected. It will now be up to the trial court to apply these guidelines as the case unfolds. Verdrager v. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, PC, & others (MSJC 2016) no. SJC-11901

Key Takeaways

Employers cannot rely on the courts to keep their data secure from internal and external breaches. First, by the time the issue reaches a court, it’s usually too late—the breach has already occurred. Second, as these cases illustrate, the facts (as well as differences in state and federal law) can lead the courts to widely divergent and unpredictable results when personnel misuse sensitive confidential information.

Online compliance training is one way employers can incorporate better data security. To learn more, visit us here:

You might also be interested in...

  • Our Data Security Laws UpdateApril 27, 2017 Our Data Security Laws Update We have written a lot about data security risks like password reuse, the value of data security training, employee negligence, and cybersecurity enforcement actions. Every so often, we write about data security legal updates. This post summarizes four posts that discussed data security […] Posted in legal update, data security
  • NY Cybersecurity Regulation Compared to Other LawsNovember 8, 2016 NY Cybersecurity Regulation Compared to Other Laws The New York Department of Financial Services (NYDFS) proposed its Cybersecurity Requirements for Financial Services Companies regulation, a comprehensive action to, as New York Governor Andrew Cuomo put it, “guarantee the financial services industry upholds its obligation to protect […] Posted in data security
Steve Treagus
Stephen Treagus, JD's, previous practice as an attorney specializing in employment litigation exposed him to the rough-and-tumble world of employment relationships gone awry. Today, this experience informs his articles and courses, helping employers avoid costly litigation and get employment law right. Stephen earned his JD from John F. Kennedy University School of Law and his BA from Sonoma State University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog