Courts Take Opposing Approaches to Data Security
Are you confident that your employees know the value of your organization’s sensitive information and treat it with the requisite respect? Two recent employment law court cases with polar opposite consequences illustrate the need for data security vigilance and strong data protection measures to keep confidential information secure.
Bernice Forrester, an employee of the medical facilities at Riker’s Island prison, sent herself nine separate emails containing confidential data about prisoner names, locations, and gang affiliations, as well as protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA). The Department of Corrections (DOC) discovered the online security breach and suspended Forrester’s security clearance, effectively terminating her employment at the prison.
Forrester denied forwarding herself the emails, but did state that she had sent herself other work-related emails to retain as evidence of mistreatment. She later sued for violations of the Americans with Disabilities Act (ADA) for alleged discrimination based on her disability, diabetes.
The Court found neither evidence of disability discrimination, nor any “record evidence to support Forrester’s theory that the emails were deliberately planted [as a pretext for discrimination] in an effort to fire her.”
“As a result of this breach,” wrote the Court, “the [DOC] indefinitely suspended Forrester’s security clearance. Without a valid security clearance, Forrester could not work on Riker’s Island, and her employment was terminated.”
“The loss of [Forrester’s] security clearance is a legitimate, nondiscriminatory ground for Defendants’ decision to terminate her employment,” the Court concluded. Forrester v. Prison Health Servs. (2nd Cir. 2016) no. 15-1098-cv. See also: Forrester v. Prison Health Servs. (EDNY 2015) no. 12-CV-363 (NGG) (LB)
Reasonable Access & Disclosure Protected
A lawyer named Kamee Verdrager believed that the Boston law firm she worked for—Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, PC (Mintz)—was discriminating against her due to her gender in violation of Massachusetts law. In need of evidence, Verdrager searched for and made copies of confidential work documents to share with her attorney.
Mintz learned what Verdrager had done and terminated her employment for violating the firm’s confidentiality policy, which stated that documents “shall not be removed from the office or used for any reason other than the delivery of services on behalf of the firm.”
In the ensuing gender discrimination lawsuit, Mintz denied Verdrager’s claims, arguing that it had fired her for accessing and sharing confidential information. Verdrager protested that accessing and providing the documents to her attorney was a protected activity under state law, and therefore was not a reason to fire her.
The Court held that “an employee’s accessing, copying, and forwarding of documents may, in certain limited circumstances, constitute protected activity, but only where her actions are reasonable in the totality of the circumstances [such as how the employee accessed and used the document, the employer’s data protection policy, and whether the access and disclosure furthered the purposes of the Massachusetts anti-discrimination laws].”
In short, the Court left open the possibility that Verdrager’s document-disclosing activities were legally protected. It will now be up to the trial court to apply these guidelines as the case unfolds. Verdrager v. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, PC, & others (MSJC 2016) no. SJC-11901
Employers cannot rely on the courts to keep their data secure from internal and external breaches. First, by the time the issue reaches a court, it’s usually too late—the breach has already occurred. Second, as these cases illustrate, the facts (as well as differences in state and federal law) can lead the courts to widely divergent and unpredictable results when personnel misuse sensitive confidential information.