What You Need to Know
The failure of government employees to know what data must be kept private and to actually keep that data private can be costly as reflected by a recent $68 million verdict against a county government.
The case is a reminder that local and state governments are responsible for ensuring that their employees verify with legal counsel or a privacy officer whether certain data can be made public. The decision sends a message to counties and other governments to make sure sensitive data is handled properly.
As we shared earlier in the year, the Pennsylvania Supreme Court established in late 2018, in Dittman v. UPMC, that employers must exercise reasonable care to safeguard employee’s sensitive information. In May 2019, a Pennsylvania federal court decision, Taha v. Bucks County, highlighted the severe consequences of a county not keeping certain information private in accordance with statutory requirements.
Two employees of Bucks County, Pennsylvania created a database of criminal records for online publication, including records where no conviction resulted. By including the information of individuals without convictions in their publicly available and searchable database, they relied on their own interpretation of state’s Criminal History Records Information Act. They also did not verify whether the information of non-convicted individuals was protected under the Act and unfortunately that information was protected. The court granted summary judgment against the county, finding that the information released in the database breached the data privacy of nearly 68,000 people. The jury awarded $1,000 in damages to each person.
The court reasoned that the employees negligently and recklessly disregarded the privacy interests of thousands of people by failing to verify appropriate information to include in the online database. The court disagreed with the county’s argument that the county employees simply did not know the law, emphasizing that ignorance is not a defense to a disclosure in violation of the act.
Lessons Learned and Best Practices
The Pennsylvania case is another reminder to companies to:
- Know your data: Know what sensitive data you have that should be kept confidential. The laws are in a constant state of change regarding what is considered “personal information.”
- Have procedures: Update, or implement, information security policies and procedures for what data is considered sensitive, where it is stored, and how it must be protected.
- Train personnel regularly: New employees should be trained on data security and privacy, and existing personnel need reminders.
- Know who to call: Personnel handling sensitive data need to know who to call with questions on privacy and security, including if there is a data breach incident. The prime contact persons should be the privacy officer and the county’s legal counsel.
- Consider insurance: Government entities should consider buying insurance coverage for cyber-related risks.
Members of Barnes & Thornburg’s Data Security and Privacy group provide a wide range of services to help clients evaluate their data privacy needs, reduce security and privacy risks, and guide clients in the event of a data breach. Our team also reviews and provides guidance on cyber insurance policies and coverage for data privacy and cybersecurity risks.
For more information, contact the Barnes & Thornburg attorney with whom you work or Jason Bernstein at 404-264-4040 or email@example.com; Todd Vare at 317-231-7735 or firstname.lastname@example.org; or Brian McGinnis at 317-231-6437 or email@example.com.
© 2019 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.
This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.