In Adams v. Congress Auto Insurance Agency, Inc., 32 Mass. L. Rptr. 372 (Oct. 8, 2014), the Massachusetts Superior Court ruled an insurance agency was not liable  for the actions of its employee, who allegedly obtained the plaintiff’s contact infor- mation from  the insurance agency’s database, and passed the information on to her boyfriend, the driver of a  motor vehicle who hit the plaintiff’s vehicle. The employee’s boyfriend then allegedly called the  plaintiff, impersonating a state police officer, and threat- ened him in an effort to get the  plaintiff to drop the insurance claim. The plaintiff claims these threats caused him significant  emotional distress. He sued the insurance agency for: (i) negli- gent safeguarding of confidential  personal information; (ii) negli- gent hiring, supervision, and retention; and, (iii) violation of  G.L. c. 93A.

The insurance agency moved to dismiss the plaintiff’s Complaint. The Court dismissed all of the  claims except for the negligent safe- guarding of confidential information claim. After discovery,  the plaintiff moved to amend the Complaint to re-assert the previously dismissed claims and added a  claim for violation of 18 U.S.C. §2724, which provides: “[a] person who knowingly obtains, dis- closes or uses personal information,  from a motor vehicle record, for a purpose not permitted under [18 U.S.C. §§ 2721, et seq.] shall  be liable to the individual to whom the information pertains.” The insurance agency opposed the  motion to amend the Com- plaint and moved for summary judgment on the negligent safe- guarding of  confidential information claim. The Court denied the plaintiff’s motion to amend and granted the  insurance agency’s summary judgment motion.

With respect to the plaintiff’s proposed negligent hiring, supervi- sion, and retention claim, the  Court held, the insurance agency’s knowledge that its employee was arrested for a federal weapons  charge during her employment without more does not support plaintiff’s claim that the employee was  unfit to handle sensitive, confidential information in her day-to-day  job  responsibilities. Nor  did it support the plaintiff’s claim that after the employee’s arrest, the insurance agency had a  duty to take additional steps to supervise or restrict the employee’s use and access to  confidential information. As the Court explained, “[t]he suggestion that ‘an employer can never hire a person with a criminal record or retain such a person as its employee at  the risk of being held liable for [the employee’s torts] flies in the face of the premise that  society must make a reasonable effort to rehabilitate those who have gone astray.’”

With respect to the plaintiff’s proposed G.L. c. 93A claim, the Court held, the plaintiff’s  allegation that the insurance agency “fail [ed] to meet the Commonwealth’s standards regarding the  protec- tion of confidential personal information” sets forth nothing more than a negligence claim  and “does not allege how, if at all, Chap- ter 93A or any regulation applies,” and fails to allege  how the insurance agency breached any specific “standard[] regarding the protection of confidential  personal information applicable in the Commonwealth”. Accordingly, the Court found the proposed  G.L. c. 93A claim futile.

The Court also held the plaintiff’s proposed  18  U.S.C.  §2724 claim was futile because no  plausible set of facts could establish the insurance agency was vicariously liable for its  employee’s criminal misconduct. In other words, the plaintiff could not estab- lish that the  insurance agency’s employee was acting within the scope of her employment when she  unlawfully   obtained,  used, and disseminated the plaintiff’s  information  to  her  boyfriend  for the  unlawful purpose of threatening the plaintiff to drop the insur- ance claim against him.

Finally, the Court held the insurance agency was entitled to sum- mary judgment on the plaintiff’s  negligent safeguarding of confi- dential information claim on at least two independent grounds.  First, whether the insurance agency acted negligently in failing to protect the plaintiff’s  confidential information required expert testi- mony to explain to the jury what the standard of  care was in the industry at the time, and whether the insurance agency breached that standard of  care, as the “[p]ractices and policies for maintain- ing, and governing access to, confidential  information in the insur- ance business are not matters of common knowledge or experi- ence.” 

The plaintiff failed to offer any expert testimony on this subject matter. Second, as a matter of law, the intervening criminal acts of the insurance agency’s  employee and her boyfriend severed any causal nexus between any alleged negligence on the part of  the insurance agency and the plaintiff’s injury.

The Court’s decision reinforces the public policy against holding a company liable for an  employee’s unlawful conduct based solely on the fact the employee has a criminal record. It also  serves as an important reminder to companies that they, at least annually, should review their  practices and policies for maintaining, and governing access to, confidential information to ensure  that these practices and policies comport with federal and state laws, stat- utes, and regulations,  as well as those set forth in the industry or profession. In the event of an inadvertent or intentional data breach, these practices and polices will be scrutinized by a plain- tiff’s expert.