Can a public employer be held liable for negligence because the employer accidentally disclosed the names, addresses, telephone numbers, marital status, and Social Security numbers of 1,750 former employees? An Illinois appellate court does not think so in what may be the first published decision to hold there exists no common-law negligence claim against an employer for disclosure of such personal information.[1] However, California courts may entertain other legal theories of liability.
The Chicago public schools, governed by the Board of Education of the City of Chicago, retained a printing company to print, package, and mail a COBRA open enrollment list to 1,750 former employees to inform them that, as COBRA participants, they could change their insured benefit plans. The package, however, ended up containing the names of all 1,750 former employees, as well as each of their addresses, Social Security numbers, marital status, medical and dental insurers, and health insurance plan information. When the board learned of the disclosure, it sent a letter to the former employees asking them to return the COBRA list or destroy it, and offered them one year of free credit protection insurance.
The former employees filed individual and class action lawsuits alleging various state and federal causes of action including: (1) violation of the common-law right to privacy; (2) negligent infliction of emotional distress; (3) negligence; (4) breach of fiduciary duty; and (5) violation of their federal constitutional rights. The trial court granted, and the Illinois appellate court affirmed, the dismissal of plaintiffs' claims against both the board and the printing company.
The essential elements of common-law causes of action for negligence and negligent infliction of emotional distress are: the plaintiff must establish that the defendant owed a duty to the plaintiff; the defendant breached that duty; the plaintiff was damaged; and the damage was proximately caused by the defendant's breach. In some cases, a violation of a law or statute designed to protect human life and property may be used by a plaintiff to prove the essential elements of a negligence cause of action.
The court in this case examined the Health Insurance Portability and Accountability Act.[2] HIPAA is a series of statutes that restrict dissemination of individually identifiable personal information of patients. Covered entities include insurers, medical providers, and in some instances, employers administering their own health plans. There is, however, no private cause of action for violation of HIPAA, meaning an employee cannot file a suit seeking private damages.
In this case, however, the plaintiffs argued that the board violated HIPAA and, therefore, breached a duty owed to plaintiffs for purposes of their negligence cause of action. The court disagreed, finding that HIPAA excludes from its protections "employment records held by a covered entity in its role as employer."[3] The court held that names, address, telephone numbers, Social Security numbers, and so forth held (and disclosed) by the board were not within the protection of HIPAA. The court further declined to recognize a new common-law duty of the board to safeguard the plaintiffs' personal information simply by virtue of the information's sensitive nature. For similar reasons, the court rejected a cause of action for breach of fiduciary duty.
The court next examined plaintiffs' constitutional claims. To establish a public entity's liability for violation of a right guaranteed by the U.S. Constitution, the plaintiffs had to allege that they were deprived of a constitutionally protected right and that deprivation was caused by a municipal policy, custom, or practice. The court, with scant analysis, held that plaintiffs could not sustain a cause of action for violation of a right under the U.S. Constitution based on a violation of HIPAA.
The court also addressed the plaintiffs' cause of action for invasion of privacy based on a theory of intrusion. The theory requires a showing of unauthorized intrusion into seclusion that is highly offensive to a reasonable person on a private matter, and which causes anguish and suffering to the plaintiff. The court declined to find a cause of action here because there was a lack of authority defining Social Security numbers as "private," and because things such as names and date of birth are generally matters of public record.
What is more curious are those claims the court did not address, including the plaintiffs' cause of action for violation of their Fourth Amendment rights (which the plaintiffs apparently abandoned) and their claim for violation of the Illinois constitutional right to privacy, which was dismissed by the trial court but not appealed by the plaintiffs.
What does this mean to California public employers? First, California Government Code Sec. 815.6 provides that, if a public entity is under a mandatory duty imposed by statute or regulation designed to protect against the risk of a particular kind of injury, the public entity is liable for an injury caused by its failure to discharge the duty unless it is shown it exercised reasonable diligence. If a plaintiff can establish that his or her current or former employer has a statutory duty not to disclose his or her name, address, telephone number, date of birth, or even Social Security number, there may be a negligence cause of action for a public employer unless it is shown the employer exercised reasonable diligence. HIPAA is probably not that statute, as the Illinois court decided in this case. However, there may be other California or federal statutes that could be interpreted as imposing that duty.
Second, a California Court of Appeal recently held that names, addresses, and telephone numbers of employees held by an employer are protected by the California constitutional right to privacy because this necessarily threatens the sanctity of the home and right to be free of intrusion. That decision is now up on appeal to the California Supreme Court, and cannot be relied on at this time.[4] Nonetheless, there are also other California decisions that contemplate a state right to privacy in personally identifiable information.[5]
It may be unlikely a negligence cause of action will be sustained against a public employer who discloses personal information about an employee. However, as the digital age advances and brings with it a flurry of identity theft, legal theories will rapidly evolve seeking to impose liability on employers who intentionally or inadvertently release personal information of current or former employees that may expose the employee to harm.
For this reason, California public employers should be wary of, and protect against, inadvertent disclosure of personal information of current and former employees to avoid being the defendant in the next lawsuit that tests the bounds of these developing legal theories.
Frances Rogers is an associate with Liebert Cassidy Whitmore in the firm's San Diego office, providing representation and legal counsel to clients in all matters pertaining to labor, employment, and education law. Rogers is also a contributor to the firm's California Public Agency Labor & Employment Blog.
[1] Cooney v. Chicago Public Schools (2010) 407 Ill.App.3d 358, 943 N.E.2d 23.
[2] 42 USC Sec. 1320d-6.
[3] Cooney v. Chicago Public Schools (2010) supra, at 361, citing 45 CFR Sec. 160.103.
[4] County of Los Angeles v. Los Angeles County Employee Relations Commission (2011) 192 Cal.App.4th 1409, cert. granted Jun. 15, 2011.
[5] See Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1, 26 Cal.Rptr.2d 834, 106 CPER 61; Pioneer Electronics (USA), Inc. v. Superior Court (2007) 40 Cal.4th 360, 53 Cal.Rptr.3d 513; Planned Parenthood Golden Gate v. Superior Court (2000) 83 Cal.App.4th 347, 99 Cal.Rptr.2d 627.
Reproduced with permission from CPER No. 203 (September 2011). Copyright by the Regents, University of California. The California Public Employee Relations Program (CPER) provides nonpartisan information to those involved in employer-employee relations in the public sector. For more information, visit http://cper.berkeley.edu