Eric Snowden’s unauthorized disclosure of secret information while a member of the NSA workforce might seem like a situation far removed from the typical workplace. It isn’t. Employers can face similar situations – and potential liability – should an employee go “rogue” and disclose, not state secrets, but confidential third-party data stored by the employer, such as client medical or personally identifiable financial data, outside the course of the employee’s job duties to the employer.
The New York Court of Appeals has pending before it an appeal based on just such a situation. In John Doe v. Guthrie Clinic, Ltd., CTQ-2013-00002, the Court of Appeals faces the question whether, under New York common law, a medical corporation – the employer in the case – can be directly liable for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information even when the employee responsible for the breach is not a physician and acted outside the scope of her employment. This question was certified to the Court of Appeals by the U.S. Court of Appeals for the Second Circuit. See Doe v. Guthrie Clinic, No. 12–1045–cv
As the Second Circuit noted in its decision, “direct corporate liability generally rests on the doctrine of respondeat superior and is not implicated by the ultra vires acts of employees.” Generally speaking then, an employer would not be liable based on respondeat superior for the unauthorized disclosure of confidential third-party data by an employee acting outside the scope of his or her job duties. The New York Court of Appeals’ ruling in Guthrie Clinic will be important as it might change that traditional limitation and expand employer liability to reach unauthorized disclosures by employees acting outside the scope of their duties, at least under New York law and for disclosures of confidential medical information.
The briefs in the Guthrie Clinic appeal are due later this summer. This author intends to monitor developments in this appeal and to report those on this blog.