With all the uproar about Facebook’s use of our data and businesses bracing to deal with the EU’s GDPR, it is easy to forget there is no general obligation to protect your personal information. The Third Circuit Court of Appeal’s decision last week in Enslin v. Coca-Cola, et al. is the latest reminder of that fact.
Shane Enslin is a former employee of Coca-Cola. As part of his employment, he submitted, as we all do, personal information including his social security number. Coca-Cola discovered that one of its IT staffers was stealing company laptops and taking them home for his own use or giving them to others. Among the devices stolen were machines used by human resources employees that contained sensitive personal information, like Enslin’s social security number. After the devices were stolen, Enslin was the victim of identity theft.
Enslin sued Coca-Cola arguing that the company was responsible for the identity theft because it failed to protect his personal information. The trial court rejected this argument, noting:
In some contexts, such as banking and commerce, it may readily be seen that an obligation on the part of the bank or merchant to use reasonable measures to safeguard a customer’s sensitive information is part of the bargain…. But the same cannot be said when an employee provides personal information to an employer as part of the hiring process.
Enslin appealed the trial court’s decision. In its recent opinion, the Third Circuit affirmed the trial court’s decision, but on different grounds. The Third Circuit focused on Enslin’s lack of proof connecting Coca-Cola’s data breach to the data theft he sustained. Because that resolved the case, the Third Circuit declined to rule on whether Coca-Cola had to protect Enslin’s information.
So what do you think? Do you expect your bank and Amazon to protect your personal information? But not your employer? That seems like a false distinction. You have less freedom whether to disclose sensitive information to your employer than you do to an online retailer. Hopefully this gap will be protected by changes to our data protection laws.
But until that happens, employers should still be careful with employees’ personal information. Data breaches are still expensive for employers even if they are not being held liable for any subsequent identity theft. Indeed, in this case Coca-Cola spent thousands of dollars trying to recover the stolen laptops and in complying with its data breach notification requirements required by state law.