The $1 million-plus settlement in the Anne Marie Rasmusson case is a costly example of why employers need to make certain that their employees do not abuse their access to confidential information.  The facts of the case are fascinating and surprising.

Anne Marie Rasmusson, a former St. Paul police officer, filed a lawsuit against numerous Minnesota cities and police officers in March of 2012.  In the lawsuit, Ms. Rasmusson alleged that her driver’s license information was improperly accessed 425 times by 104 police officers between 2007 and 2011.  Ms. Rasmusson’s complaint asserted claims arising under 42 U.S.C. § 1983, the Driver’s Privacy Protection Act of 1994, as well as claims for invasion of privacy.

In her complaint, Ms. Rasmusson alleged that she retired as a police officer in 2003.  After Ms. Rasmusson divorced in 2007, she noticed that numerous police officers began taking an unusual interest in her and asking her for dates.  The officers appeared to know where Ms. Rasmusson lived and what kind of car she drove.  Because of these circumstances, Ms. Rasmusson contacted the Department of Public Safety and inquired whether any officers had accessed her private information.  She learned that over 100 police officers from at least 18 different departments had accessed her records over 400 times since 2007.  Upon learning this information, Ms. Rasmusson’s complaint alleges that she was “horrified” and that she “became physically ill” and “vomited.”

During discovery, many police officers who accessed Ms. Rasmusson’s data acknowledged that they did not have legitimate reasons to do so.  One supervisor admitted that he encouraged subordinate officers to look up Ms. Rasmusson’s data “because she was very attractive and so they could see that she’s changed and she’s got a new look.”

The overall theme of Ms. Rasmusson’s lawsuit was that the various police departments and officers involved allowed a culture to develop in which her private data was not protected and was routinely accessed for illegitimate reasons.

Recently, many of the parties involved in the lawsuit entered into large settlements with Ms. Rasmusson.  The City of St. Paul agreed to pay Ms. Rasmusson $385,000.  The City of Minneapolis agreed to pay her $392,000.  Various other cities agreed to pay her $280,000.  Overall, Ms. Rasmusson has already recovered settlements in excess of $1 million.  For more information about the case, click here.

Takeaways:  While most employers do not have employees who have access to driver’s license data, many employers have employees who have access to other private and confidential data – such as data protected under the Health Insurance Portability and Accountability Act (“HIPAA”), the Family and Educational Rights and Privacy Act (“FERPA”), or other records for which a reasonable expectation of privacy may exist.  The Anne Marie Rasmusson case is a somewhat unusual and extreme case, but it shows that employers who do not have strong policies and procedures in place to prevent employee abuse of confidential data may be subject to significant liability.