Posted on 07/23/2018 at 10:23 AM by John Lande
A recent decision from United States Court of Appeals for the Third Circuit demonstrates how costly employee misconduct can be when that misconduct causes a cybersecurity incident. Enslin v. Coca-Cola Company started when Coca-Cola discovered in 2013 an IT employee had been stealing old company laptops for years, and had given some of them away.
Coca-Cola discovered that some of the laptops belonged to human resources employees, so they contained sensitive employee information including names, addresses, and driver’s license numbers. Coca-Cola attempted to retrieve the missing HR laptops, but was unsuccessful.
Coca-Cola notified all current and former employees whose data were exposed. Shortly after learning about the breach, former employee Shane Enslin discovered several of his online accounts were hacked and used to make unauthorized purchases.
Enslin sued Coca-Cola under several theories including that Coca-Cola breached its employment contract with him by allowing his data to be exposed. Enslin argued that by filling out his employment forms with Coca-Cola the company entered into a binding contract to protect his data.
The district court disagreed, and ruled in favor of Coca-Cola. The district court concluded that Coca-Cola had not breached any commitment made to Enslin at the time he completed his employment paperwork. Since Coca-Cola did not breach any duties, Enslin did not have a claim.
The Third Circuit did not base its ruling on the same analysis as the district court. Instead, the Third Circuit focused on the fact that Enslin could not prove a direct link between the missing laptops and the unauthorized access to his online accounts. While there was temporal proximity between the loss of the laptops and the hacking of his accounts, there was no proof that fraudsters used the information obtained on laptops from Coca-Cola.
In essence, Coca-Cola benefited from an undeniable fact of modern life: almost everyone’s personal data, including Social Security numbers, is already available to fraudsters. Unless plaintiffs like Enslin can prove a direct link between a data breach and a loss then, at least in the Third Circuit, they will have a hard time keeping their case alive. However, after breaches like the one involving Equifax, which compromised data of over 145 million people, it will likely be very difficult for plaintiffs to prove that fraudsters obtained their information from any particular breach.
Even though Coca-Cola ultimately won on the merits, the IT employee’s theft of old laptops cost the company at least five years of litigation costs. This is likely not a trivial sum, and highlights the need for employers to safeguard sensitive employee information. Coca-Cola should be asking itself several questions:
- Why was employee data stored on laptops that were returned to IT?
- Why were laptops not routinely wiped to remove proprietary and confidential information?
- Why was an employee in IT able to slip out of his department with old laptops without anyone noticing?
Coca-Cola knows how to keep information secure. After all, the company is famous for the security measures for its 125 year old-recipe. If Coca-Cola had been more careful about its employee data, it may have avoided over five years of court battles.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande