starrMy colleague Gary Starr returns today with a story worth reading about the need for employers to secure confidential information.  Although it is based on Massachusetts, the concepts it covers may have some carryover to employers elsewhere as well.  

Employers that maintain records of their employees and customers and allow employees have access to confidential information have long needed policies that not only secure the information, but ensure that employees who have been granted access to such information are complying with the corporate policies and are trustworthy.

An insurance agency in Massachusetts thought it had done everything right, but was sued for negligence in its retention of an employee that it thought was trustworthy, but was not.

An employee used her computer to access confidential information that she then gave to her boyfriend about the identity of a witness to a car accident in which the boyfriend had been involved with her car.  The boyfriend used that information to contact and threaten the witness.  The witness reported the threat to the police and ultimately the boyfriend and the employee pleaded guilty to witness intimidation and conspiracy.  After the police visited the employer to obtain information about the threat, which was traced back to the employee, the employer fired the employee.

That, however, did not end the tale.

The witness then sued the employer for failing to safeguard personal information, and for negligent retention and negligent supervision.  While the trial court dismissed the case, the appellate court has determined that the facts alleged are sufficient to go to trial.

Where did the employer go wrong?  The company had adopted a data security plan and policy that prohibited employees from accessing or using personal information for personal purposes.  The computer software even required employees, who wished to access the data base with confidential information, to agree to use the information for one of four limited purposes, all of which were business related.

Those were positive steps.

The problem arose because the unrestricted access did not stop the employee from reviewing information that had an impact on her personally.  The second failure had to do with an inadequate investigation of the employee’s background and simply taking the employees word about a weapons arrest that occurred during her employment in another state.

The employee told her boss that the arrest was a misunderstanding, that she was clearing it up, and subsequently said it was resolved.  The employer simply took her word for it.

What he would have discovered with a very simple inquiry was that there were serious issues with her honesty and fitness for accessing other people’s personal information.  The company could have learned that she was traveling with her boyfriend when they were stopped for speeding and that she was arrested for having two semi-automatic guns concealed in her purse, one had the serial numbers filed off and the other was stolen.  She also had a half-mask and police scanner.  After her arrest, she told the company that there had been a misunderstanding as the weapons belonged to her boyfriend, that she didn’t know anything about them and that she was exonerated.

Her story was not true, but her account itself should have raised questions about her having access to personal information.

The court said that the company had a duty to protect the confidential information and that it was foreseeable that the employee could access information and use it for personal gain.  The company had an obligation to investigate the employee’s continuing fitness after the arrest.  The court said that a jury could decide that the failure to take action under these circumstances was unreasonable as the company knew about the weapons charge and could have learned of her lies and her willingness to commit a crime with her boyfriend.  The company did not take sufficient steps to limit the risk of harm to those whose personal information its employees could access.

There are steps to take to avoid this problem.  After an employee is hired, that does not end the need to be vigilant about their fitness for the job.  When information comes to light that may raise questions about the actions of an employee, an employer cannot simply take his/her word for what occurred.  It must take affirmative steps to explore what the underlying issue is, analyze the employee’s story, and assess the risk the employee poses if access to confidential information is abused or if other employees and the public may be put at risk.