[BreachExchange] Employee Causes Five Years of Data Breach Litigation
Destry Winant
destry at riskbasedsecurity.com
Tue Jul 24 22:44:07 EDT 2018
https://www.jdsupra.com/legalnews/employee-causes-five-years-of-data-57752/
A recent decision from United States Court of Appeals for the Third
Circuit demonstrates how costly employee misconduct can be when that
misconduct causes a cybersecurity incident. Enslin v. Coca-Cola
Company started when Coca-Cola discovered in 2013 an IT employee had
been stealing old company laptops for years, and had given some of
them away.
Coca-Cola discovered that some of the laptops belonged to human
resources employees, so they contained sensitive employee information
including names, addresses, and driver’s license numbers. Coca-Cola
attempted to retrieve the missing HR laptops, but was unsuccessful.
Coca-Cola notified all current and former employees whose data were
exposed. Shortly after learning about the breach, former employee
Shane Enslin discovered several of his online accounts were hacked and
used to make unauthorized purchases.
Enslin sued Coca-Cola under several theories including that Coca-Cola
breached its employment contract with him by allowing his data to be
exposed. Enslin argued that by filling out his employment forms with
Coca-Cola the company entered into a binding contract to protect his
data.
The district court disagreed, and ruled in favor of Coca-Cola. The
district court concluded that Coca-Cola had not breached any
commitment made to Enslin at the time he completed his employment
paperwork. Since Coca-Cola did not breach any duties, Enslin did not
have a claim.
The Third Circuit did not base its ruling on the same analysis as the
district court. Instead, the Third Circuit focused on the fact that
Enslin could not prove a direct link between the missing laptops and
the unauthorized access to his online accounts. While there was
temporal proximity between the loss of the laptops and the hacking of
his accounts, there was no proof that fraudsters used the information
obtained on laptops from Coca-Cola.
In essence, Coca-Cola benefited from an undeniable fact of modern
life: almost everyone’s personal data, including Social Security
numbers, is already available to fraudsters. Unless plaintiffs like
Enslin can prove a direct link between a data breach and a loss then,
at least in the Third Circuit, they will have a hard time keeping
their case alive. However, after breaches like the one involving
Equifax, which compromised data of over 145 million people, it will
likely be very difficult for plaintiffs to prove that fraudsters
obtained their information from any particular breach.
Even though Coca-Cola ultimately won on the merits, the IT employee’s
theft of old laptops cost the company at least five years of
litigation costs. This is likely not a trivial sum, and highlights the
need for employers to safeguard sensitive employee information.
Coca-Cola should be asking itself several questions:
Why was employee data stored on laptops that were returned to IT?
Why were laptops not routinely wiped to remove proprietary and
confidential information?
Why was an employee in IT able to slip out of his department with old
laptops without anyone noticing?
Coca-Cola knows how to keep information secure. After all, the company
is famous for the security measures for its 125 year old-recipe. If
Coca-Cola had been more careful about its employee data, it may have
avoided over five years of court battles.
More information about the BreachExchange
mailing list