Many of the highest-profile and headline-catching data breaches involve external breaches of a company’s electronic systems. But the reality that these headlines obscure is the fact that internal data breaches are generally more prevalent and represent a primary source of concern for data security managers.

The legal liability of employers for data breaches by its employees is generally an underdeveloped area of the law. But a case currently pending before the Massachusetts Appeals Court will help determine the scope of this liability in Massachusetts.

In the Superior Court case, Adams v. Congress Auto Insurance Agency, Inc., No. MICV2013-01322-D (Mass. Super. Ct.), plaintiff Mark Adams sued Congress Auto Insurance Agency Inc. over the alleged actions of Congress’ employee, Elizabeth Burgos. The rather incredible fact-pattern began when Burgos’ boyfriend, Daniel Thomas, was driving Burgos’ vehicle and struck a vehicle operated by Adams. Thomas fled the scene but Burgos’ abandoned vehicle was found shortly thereafter. Adams first contacted the police and told them he could identify the perpetrator. Adams then filed a claim from the collision with Burgos’ insurance company, Safety Insurance.

As the police search for Thomas began, Burgos allegedly used her employer’s access to Safety’s electronic database platform to obtain Adams’ private information. She then passed this information on to Thomas who made intimidating phone calls to Adams in an attempt to dissuade him from cooperating with the police in the search for Thomas. When Thomas was eventually apprehended, police suspected that Burgos had been the one who passed Thomas Adams’ contact information. Adams sued Congress for alleged emotional harm stemming from the intimidating phone calls by claiming Congress negligently permitted Burgos to access and misappropriate his private information.

The Superior Court granted summary judgment for Congress on a few different bases. See Adams v. Congress Auto Insurance Agency, Inc., No. MICV2013-01322-D 2013, 2014 Mass. Super. LEXIS 159 (Mass. Super. Ct. Oct. 8, 2014).  Most relevant for purposes of this blog, the court first held a plaintiff must present expert testimony regarding the existence of a standard of care, what that standard is, and whether defendant deviated too much from that standard when claiming an insurance company negligently failed to safeguard confidential information. Because this was an issue of first impression for the court, the court analogized an insurance company’s responsibility for private information to an insurance company’s contractual responsibility to defend a client. In both situations the standard of care involves policies and procedures unavailable to the common knowledge of a lay jury. Thus, the court concluded, in both cases a plaintiff must present expert testimony in order for a jury to reasonably define the standard of care and the existence of any breach. Because Adams failed to present any expert testimony, the court granted summary judgment to Congress.

The court also granted summary judgment on the issue of proximate cause. The court began its analysis of the issue by reciting the legal standard for finding an intervening cause: “[a] third party’s criminal conduct will sever a chain of causation between any alleged negligence and a plaintiff’s injury.” According to the court, both Burgos’ alleged theft of personal information from a secure database and Thomas’ subsequent misuse of that data were both criminal acts that severed the chain of causation between Congress’ alleged negligence and the harm to Adams.

These issues are currently being briefed for the Massachusetts Appeals Court with an oral argument likely to follow sometime later this year. Stay tuned to this blog for relevant updates on the progress of this meaningful case.

Thanks to Mintz summer associate Joshua Browning for assistance with this article.