When it comes to the protection of personal information, not all personal information is treated equally. The United States’ sectoral approach in regulating privacy leads to different thresholds of protection for personal information depending on the context in which that information is obtained. While the Federal Trade Commission has been active in enforcing general privacy and security protections for consumer personal information under its Section 5 authority, a case brought by a former employee against Coca-Cola Co. illustrates how no similar generalized protection exists for safeguarding employee personal information.
In Enslin v. Coca-Cola Co., (E.D. Pa. March 31, 2017), the federal district court awarded summary judgment to Coca-Cola on an employee’s claim that Coca-Cola breached either an express or implied contract to safeguard its employees’ personal information. Significantly, the court recognized that employers do not have an implied duty to safeguard their employees’ personal information and that the company’s narrowly written Code of Conduct and other company policies did not expressly create one. Thus, Plaintiff’s claim failed. Coca-Cola had discovered that one of its information technology employees had stolen older company laptops, some of which had been used by human resource employees and still contained employee information, including social security numbers and other sensitive information. The company notified the affected employees, including Plaintiff, and offered them free credit monitoring. Shortly thereafter, Plaintiff experienced fraudulent activity on some of his online retail accounts and sued Coca-Cola for breach of contract as a result of its alleged failure to safeguard his personal information.
While the court held that Coca-Cola’s Code of Conduct created a binding contract with its employees, it rejected the assertion that the obligations undertaken by the company included one to generally safeguard its employees’ personal information. The Code of Conduct stated that Coca-Cola “will safeguard the confidentiality of employee records by advising employees of all personnel files maintained on them, collecting only data related to the purpose for which the files were established and allowing those authorized to use a file to do so only for legitimate Company purposes.” The court explained that any obligation Coca-Cola had to safeguard its employees’ personal information was expressly limited to those three duties: 1) Advising employees of personnel files maintained by the company; 2) Collecting data only for employment purposes; and 3) Using the employee information for company purposes. Plaintiff did not allege that the theft of the laptops which contained his personal information violated any of these duties, and Coca-Cola did not have a more generalized duty to safeguard its employees’ personal information beyond those. Although the court acknowledged that in certain contexts such as banking and commerce, an obligation to use reasonable measures to safeguard a customer’s sensitive information could be implied, the court disagreed with the notion that “when an employee provides an employer with personal information, an implied contract arises that obligates the employer to use reasonable measures to safeguard that information.” Absent an express undertaking to safeguard its employees’ personal information, Coca-Cola did not owe its employees some overarching obligation to do so.
This case demonstrates the importance of understanding the privacy protections accorded to personal information depending on the circumstances under which it was obtained. It also highlights the potential significance of employee and company policies and handbooks in determining those protections in the employment context.