Many businesses have access to confidential information that, when stolen or misappropriated, can cause serious injuries to their clients or other third parties. Confidential information can be used to open credit cards, obtain loans or possibly access other databases that contain more sensitive information. In Adams v. Congress Auto Insurance Agency, Inc., a Massachusetts court found an employer can be held liable when its employee steals and publishes confidential information.

The case involved an insurance agency specializing in car insurance and its employee who was a customer service representative. One evening, the employee’s boyfriend was driving her car when he struck a vehicle and fled from the state police. The employee filed a claim for motor vehicle damages with Safety Insurance, one of the many insurance carriers her employer worked with, and which she had access to in her position. The employee accessed the database and obtained the personal contact information of the driver her boyfriend hit. She then passed the information on to her boyfriend. He called the driver and impersonated a state trooper and made threats in an effort to get the driver to drop the claim. The driver contacted the state police and learned his personal information was misappropriated by the insurance agency’s employee and later filed suit.

During the litigation, it was revealed the insurance agency was aware that while the customer service representative was in their employ, she and her boyfriend faced federal weapons charges arising from a motor vehicle stop in Iowa. The insurance agency asked its employee about the incident but did not conduct an independent investigation to obtain more details about the charges and whether the employee was being truthful regarding the extent of her criminal conduct.

The Appeals Court ruled a reasonable jury could have found the insurance agency breached its duty of care to the driver when it failed to investigate the employee’s fitness for access to the confidential information of others.

The Appeals Court reasoned that an employer who gives an employee access to sensitive information is analogous to a landlord who entrusts a handyman with keys to a tenant’s apartment. The employer can be held liable to third parties if “[the employer] becomes aware or should have become aware of problems with an employee that indicated [her] unfitness, and employer fails to take further action such as investigating, discharge or reassignment.” The scope of the employer’s duty to undertake prudent investigation into the fitness of an employee is “directly related to the severity of risk third parties are subjected to by [the] employee.”

Business owners should be aware of the heightened duty imposed upon them when it comes to securing confidential information because their business may be liable for injuries sustained by clients as well as third parties. Businesses should consider consulting legal counsel to discuss ways to mitigate risk such as employing a more rigorous hiring process or implementing reasonable safeguards in order to minimize access to confidential information.