In Adams v. Congress Auto Insurance Agency, Inc., 32 Mass. L. Rptr. 372 (Oct. 8, 2014), the Massachusetts Superior Court ruled an insurance agency was not liable for the actions of its employee, who allegedly obtained the plaintiff’s contact infor- mation from the insurance agency’s database, and passed the information on to her boyfriend, the driver of a motor vehicle who hit the plaintiff’s vehicle. The employee’s boyfriend then allegedly called the plaintiff, impersonating a state police officer, and threat- ened him in an effort to get the plaintiff to drop the insurance claim. The plaintiff claims these threats caused him significant emotional distress. He sued the insurance agency for: (i) negli- gent safeguarding of confidential personal information; (ii) negli- gent hiring, supervision, and retention; and, (iii) violation of G.L. c. 93A.
The insurance agency moved to dismiss the plaintiff’s Complaint. The Court dismissed all of the claims except for the negligent safe- guarding of confidential information claim. After discovery, the plaintiff moved to amend the Complaint to re-assert the previously dismissed claims and added a claim for violation of 18 U.S.C. §2724, which provides: “[a] person who knowingly obtains, dis- closes or uses personal information, from a motor vehicle record, for a purpose not permitted under [18 U.S.C. §§ 2721, et seq.] shall be liable to the individual to whom the information pertains.” The insurance agency opposed the motion to amend the Com- plaint and moved for summary judgment on the negligent safe- guarding of confidential information claim. The Court denied the plaintiff’s motion to amend and granted the insurance agency’s summary judgment motion.
With respect to the plaintiff’s proposed negligent hiring, supervi- sion, and retention claim, the Court held, the insurance agency’s knowledge that its employee was arrested for a federal weapons charge during her employment without more does not support plaintiff’s claim that the employee was unfit to handle sensitive, confidential information in her day-to-day job responsibilities. Nor did it support the plaintiff’s claim that after the employee’s arrest, the insurance agency had a duty to take additional steps to supervise or restrict the employee’s use and access to confidential information. As the Court explained, “[t]he suggestion that ‘an employer can never hire a person with a criminal record or retain such a person as its employee at the risk of being held liable for [the employee’s torts] flies in the face of the premise that society must make a reasonable effort to rehabilitate those who have gone astray.’”
With respect to the plaintiff’s proposed G.L. c. 93A claim, the Court held, the plaintiff’s allegation that the insurance agency “fail [ed] to meet the Commonwealth’s standards regarding the protec- tion of confidential personal information” sets forth nothing more than a negligence claim and “does not allege how, if at all, Chap- ter 93A or any regulation applies,” and fails to allege how the insurance agency breached any specific “standard regarding the protection of confidential personal information applicable in the Commonwealth”. Accordingly, the Court found the proposed G.L. c. 93A claim futile.
The Court also held the plaintiff’s proposed 18 U.S.C. §2724 claim was futile because no plausible set of facts could establish the insurance agency was vicariously liable for its employee’s criminal misconduct. In other words, the plaintiff could not estab- lish that the insurance agency’s employee was acting within the scope of her employment when she unlawfully obtained, used, and disseminated the plaintiff’s information to her boyfriend for the unlawful purpose of threatening the plaintiff to drop the insur- ance claim against him.
Finally, the Court held the insurance agency was entitled to sum- mary judgment on the plaintiff’s negligent safeguarding of confi- dential information claim on at least two independent grounds. First, whether the insurance agency acted negligently in failing to protect the plaintiff’s confidential information required expert testi- mony to explain to the jury what the standard of care was in the industry at the time, and whether the insurance agency breached that standard of care, as the “[p]ractices and policies for maintain- ing, and governing access to, confidential information in the insur- ance business are not matters of common knowledge or experi- ence.”
The plaintiff failed to offer any expert testimony on this subject matter. Second, as a matter of law, the intervening criminal acts of the insurance agency’s employee and her boyfriend severed any causal nexus between any alleged negligence on the part of the insurance agency and the plaintiff’s injury.
The Court’s decision reinforces the public policy against holding a company liable for an employee’s unlawful conduct based solely on the fact the employee has a criminal record. It also serves as an important reminder to companies that they, at least annually, should review their practices and policies for maintaining, and governing access to, confidential information to ensure that these practices and policies comport with federal and state laws, stat- utes, and regulations, as well as those set forth in the industry or profession. In the event of an inadvertent or intentional data breach, these practices and polices will be scrutinized by a plain- tiff’s expert.