On December 21, 2016, the Appeals Court reversed a Superior Court decision in favor of Congress Auto Insurance Agency, Inc. (Congress or Congress Agency) in the case of Mark Adams v. Congress Auto Insurance Agency. The Congress decision is an important one in that it extends the potential liability of all insurance agencies dealing with personal information relating to not only insureds, but in this case, to a property damage claimant.
Lawsuit for personal injury arising out of witness intimidation
The decision from the Appeals Court resulted from an insurance agency’s employee improperly using confidential information accessed through her agency computer. The employee gave the confidential information, relating to a property damage claimant’s name and cell phone number, to her boyfriend. Her boyfriend then used that information in order to locate and intimidate a witness against him in a hit-and-run accident, a Mr. Mark Adams (Mr. Adams). As a result of the intimidation and the ensuing mental and physical distress, Mr. Adams brought a Superior Court action for damages against the agency employer, the Congress Insurance Agency.
Eventually after a trial on the matter, a Superior Court judge dismissed Mr. Adams claims and Mr. Adams appealed.
In reversing the Superior Court’s decision, the Appeals Court found that a jury could find Congress liable for damages allegedly suffered by Mr. Adams, which arise out of the agency’s employee accessing and improperly sharing confidential information from one of the agency’s insurance carrier’s computer systems.
Facts found regarding employee use of agency’s data access to intimidate witness.
For a detailed history of the underlying facts and the subsequent Division of Insurance proceedings, see Agency Checklists articles of December 22, 2014, “Agency’s Loyalty To Employee Results In Lawsuit.” and January 26, 2016, “MA Resident Producer Loses License For Conspiracy To Intimidate Witness”
The following facts were those the Appeals Court recounted in the Congress decision:
Congress hired Elizabeth Burgos in August, 2003, as a customer service representative, ultimately promoting her to customer service manager in 2010. Ms. Burgos, through her work computer, had access to the data systems of Safety Insurance Company (Safety), and, through Safety’s internet portal, to records maintained by the Registry of Motor Vehicles (RMV). Safety also insures Ms. Burgos’s vehicle.
In 2010, the Congress Agency, by its president and owner, Gordon Owades, drafted a data security plan for ensuring the protection of personal information of the residents of the Commonwealth. Mr. Owades trained all agents, including Ms. Burgos, on the data security policies. One of those company policies was the prohibition of employees from accessing or using a driver’s personal information, obtained in the course of the employee’s work, for personal purposes.
To further emphasize the rule, each time a Congress Agency employee wished to access the RMV database through the Safety portal, Safety required the agent to affirmatively agree to use the information obtained for one of four limited purposes: Claims investigation activities, anti-fraud activities, rating, and underwriting.
On July 13, 2012, Ms. Burgos’s boyfriend, Daniel Thomas, engaged in a high-speed flight from police while driving Ms. Burgos’s Mercedes automobile. At that time, Mr. Thomas was on supervised release for a Federal firearm violation, and was driving without a valid license. During his flight, Thomas struck a vehicle operated by the plaintiff, Mark Adams. Mr. Thomas abandoned the Mercedes and fled.
On July 24, 2012, Mr. Adams, who had filed a claim against Ms. Burgos’s automobile policy, gave a statement to a Safety claims adjuster investigating the accident. He informed the adjuster that he could identify the driver of the Mercedes and provided his contact information, including his cell phone number and home address.
Meanwhile, Ms. Burgos reported her vehicle stolen to the police, and subsequently filed her own insurance claim for the loss with Safety. Ms. Burgos then proceeded to use her access to confidential data through the agency, obtained information about her own claim, in order to learn Mr. Adams’s identity and contact information as the individual who had filed a claim against her Safety insurance policy. The next day, Mr. Adams received a threatening telephone call from Mr. Thomas. Mr. Adams immediately reported the threat to the authorities.
The Massachusetts State police visited the agency’s office on August 28, 2012; Ms. Burgos refused to speak with them. The Congress Agency continued to provide Ms. Burgos access to the Safety databases and to the RMV records. On December 13, 2012, Mr. Owades terminated Ms. Burgos for “her serious misuse of access to confidential information.”
On January 9, 2013, in the Charlestown Municipal Court, Ms. Burgos and Mr. Thomas both admitted to sufficient facts and pleaded guilty to witness intimidation and conspiracy in connection with the threat made to Mr. Adams. In particular, Ms. Burgos admitted that she had used her position at the agency to obtain Mr. Adams’s date of birth, address, and cell phone number.
During the course of Mr. Adams’ Superior Court suit, additional information emerged about an earlier incident, in which Ms. Burgos again had engaged in criminal behavior with, or to protect, her boyfriend. Specifically, on June 19, 2010, while Mr. Thomas and Ms. Burgos were driving cross country, the Iowa State police stopped the vehicle for speeding. In the vehicle the police discovered two loaded semi-automatic firearms concealed in Ms. Burgos’s purse, ammunition, a receipt for the purchase of additional ammunition in Ms. Burgos’s day book, a half-face mask, and a police scanner. One handgun was stolen; the other had its serial number defaced. Mr. Thomas claimed he knew nothing about the weapons and ammunition while Ms. Burgos admitted to the police that they were hers. Ms. Burgos and Mr. Thomas were arrested and eventually indicted for possession of a firearm with an obliterated serial number.
After Ms. Burgos was released on bail, she returned to Massachusetts and continued to work at the Congress Agency. On October 21, 2010, the United States Marshals Service arrested Ms. Burgos at the agency’s office. The office manager notified Mr. Owades of Ms. Burgos’s arrest. Upon her return to work four days later, Ms. Burgos explained to Mr. Owades that there was “a misunderstanding as to who was in possession of the firearm at the time of the incident in Iowa;” the gun belonged to her boyfriend; she did not know it was present in the vehicle prior to its discovery by the police; its presence was frankly a “shock” to her; “ultimately, she would be exonerated”; and “[the misunderstanding] was not going to affect her ability to work.”
Ms. Burgos also informed Mr. Owades that Mr. Thomas went to jail. Mr. Owades conducted no independent investigation into the circumstances of her arrest because he “did not at the time think it was germane to her employment.”
Ms. Burgos subsequently told Mr. Owades that she had some legal “arrangement” with the authorities that would last a year. At the end of that time period, Ms. Burgos informed Mr. Owades that the matter has been resolved. In fact, following her completion of the diversion program, the United States Attorney dismissed the indictment on May 24, 2012. Approximately seven weeks later, Mr. Thomas struck Mr. Adams’s vehicle.
Appeals Court decision extends liability of insurance agencies
The Appeals Court decision extends the liability of insurance agencies. Congress had argued successfully in Superior Court that the agency had no liability because, among other arguments:
- There was an intervening criminal act by the employee and her boyfriend in using the information accessed to threaten Mr. Adams.
- The information accessed did not fall within any of the statutory definitions of “personal information” but only related to Mr. Adams’s cell phone.
The Superior Court had ruled in favor of Congress. The Appeals Court however found that a reasonable jury could find that the actions of Congress under the circumstances could result in a finding of negligence.
Insurance agency has liability to “a large but clearly defined class of third parties”
In seeking to uphold the Superior Court decision in its favor, Congress argued that there was no sufficient connection between Congress and Mr. Adams. Congress noted that Mr. Adams did not dispute that he was never a customer of Congress, never a consumer of Congress, and never had any communication with Congress. Therefore, Congress argued it owed Mr. Adams no legal duty because of Ms. Burgos’ misuse of the information she obtained through Congress’ link to Safety Insurance’s claim information.
The Appeals Court disagreed and found:
In the circumstances of this case, we conclude that the agency had a legal duty to Mr. Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Mr. Adams provided to process his automobile insurance claim.”
Court extends “personal information” protection beyond the statutory definitions
Insurance agencies, along with all other businesses in the Commonwealth, have statutory and regulatory duties to adequately safeguard the personal information of all Massachusetts residents. Congress acknowledged its duty to protect personal information, but argued to the Appeals Court, that in Mr. Adams case, it had no liability because no “personal information,” as defined by statute and regulations, had been accessed.
What Ms. Burgos had accessed through Congress was Mr. Adams’s name and cell phone number as they appeared on Safety Insurances claim documents.
Congress submitted to the Appeals Court that Mr. Adams’s telephone number did not qualify as “personal information” since by statute, the term “personal information” means “a resident’s first name and last name or first initial and last name in combination with [either a] … (a) Social Security number; (b) driver’s license number…; or (c) financial account number, or credit or debit card number….”
Congress argued that the Appeals Court should not extend the duty to protect personal information beyond the statutory definition because “To impute to Congress a duty that ran to every person in Massachusetts, even those who had absolutely no relationship with Congress, would be to render the applicable regulations meaningless.” (Emphasis in original).
In rejecting this argument, however, the Appeals Court made the following points:
- “Here, the access to confidential personal information of the citizens of the Commonwealth and others inherent in Ms. Burgos’s employment heightened the potential risk that she [posed] to third parties,”
- “Just as those with the physical keys to the homes of others have a duty of reasonable care to preserve their security, companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against misuse of that data.”
The Congress decision substantially expands the liability of insurance agencies
The Appeals Court ruling on Congress’ appeal will substantially expand the potential liability of insurance agencies in allowing their employees to access confidential information relating to other insureds, claimants, or any other third persons found in insurance-related databases.
In Congress’ case, the Appeals Court did lay out its reasoning as to the basis for finding that Congress might have liability to Mr. Adams. Two of the grounds listed by the Court were:
- “…if the Congress Agency had investigated, it could have discovered facts that called into question Ms. Burgos’ honesty and fitness for access to other people’s personal information.”
- “An investigation by the agency could have revealed that Ms. Burgos was not forthright with [its owner], that at a minimum she had been involved with illegal firearms, and that she either concealed her own involvement or lied at her own peril to protect her boyfriend.”
Agency takeaways if the Congress case is not further appealed
Congress filed on January 10, 2017, an application for further appellate review with the Supreme Judicial Court. If the Supreme Judicial Court declines to accept the application, the holding in the Congress case will be the law.
In any event insurance agencies may wish to review how they allow access to confidential data acquired or available to their employees in the ordinary course of business.
The fundamental takeaway in the Congress case is that insurance agencies have to not only put in place adequate data protection rules, but they must monitor those employees that have access to the data, in order to determine their continual suitability to have access.
The Congress Agency operations seemingly provided all the proper rules for data protection. The record in the case showed:
- Congress had a strict written policy prohibiting its agents from accessing or using information they obtained in the course of their work for personal or other inappropriate purposes.
- Congress required each employee to attend a training session on these policies, and to certify, in writing, their attendance and their familiarity with the firm’s data-privacy requirements.
- Congress’ President personally followed up on a regular basis with each employee to reinforce the importance of data security, and
- Congress reinforced these policies at office meetings.
Congress also posted colored signs near all of the computers emphasizing data security, and stating:
“DON’T: Discuss any policy coverage matters with anyone other than a named insured,” and
“DON’T: Ever use our Registry to access for any purpose other than processing our insurance work.”
However, what Congress failed to do was exercise its independent judgment as to the suitability of Ms. Burgos for continued data access, after Federal marshals had arrested her at Congress’s office. It simply accepted her word as to the reasons for her arrest and never verified from the publicly available Federal court docket that her explanation to them was most likely false. Likewise, even after the State Police visited Congress’ office, relating to the witness intimidation charge, Congress did not terminate Ms. Burgos until four months later.
In short, the lesson from the Congress case, unless reversed by the Supreme Judicial Court, is that the ongoing monitoring of the personal situation and the personal integrity of the employees an agency allows to have access to confidential data, will have equal, or greater importance, than how complete an agency’s data protection plan may be.