[BreachExchange] Coca-Cola Dodges Privacy Class Action

[Inga Goddijn]

http://www.jdsupra.com/legalnews/coca-cola-dodges-privacy-class-action-20927/

Coca-Cola won big last month when it secured summary judgment in a privacy
class action brought by a former bottling plant employee concerning
compromised personal information. Hon. Joseph Leeson of the Eastern
District of Pennsylvania found that Coca-Cola was not under any contractual
obligation to protect its employees’ personal information.

The issues arose when an ill-motived former IT employee disposed of old
Coca-Cola laptops that were still storing employee information, including
addresses, phone numbers and SSNs. The proposed class action was brought on
behalf of the 74,000 employees whose information was compromised.

The court rejected plaintiff’s arguments that a handful of company
policies, when woven together, impose a contractual duty on Coca-Cola to
safeguard information for the benefit of employees. Coca-Cola argued that
its detailed security policies create obligations to safeguard Company
information to support business operations, but not to shield employees
personally. The judge agreed, ruling the relevant policy provisions serve
to protect the company, not the employees.

Cited provisions came from Code of Conduct, the Protection Policy and the
Acceptable Use Policy, and read, in part: “Computer hardware, software, and
data must be safeguarded from damage, theft, fraudulent manipulation, and
unauthorized access to and disclosure of Company information.” Another
provision stated that “[w]e all have an obligation to safeguard Company
assets including exercising care in using Company equipment, vehicles, and
bringing to the attention of high management any waste, misuse,
destruction, or theft of Company property or illegal activity.”

It is also noteworthy that, despite not being contractually obligated to
protect employee information, Coca-Cola was responsible and proactive in
response to the incident. Coca-Cola informed employees of the lost laptops
and provided one year of free credit monitoring and fraud restoration
services. Ironically, plaintiff claimed that Coca-Cola should compensate
him for wages lost because of the time required to submit the necessary
information to obtain the protection services. The court explicitly
rejected this as well.

The case is *Enslin v. The Coca-Cola Co*., No. 2:14-cv-06476, in the U.S.
District Court for the Eastern District of Pennsylvania.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170413/eb067d85/attachment.html>