On April 27, 2017, the Supreme Judicial Court denied Congress Auto Insurance Agency’s application for further appellate review (“Congress” or “Congress Agency”). Congress’ application requested Massachusetts’ highest appellate court to review and set aside a December 21, 2016 decision of the Appeals Court in the case of Mark Adams v. Congress Auto Insurance Agency.
Important decision for agency protection of personal information
The Appeals Court’s Congress decision extended the potential liability of all insurance agencies and insurance companies dealing with personal information. The decision found disclosure liability could exist not only for customers or insureds but for third-party claimants: in Congress’ case, to a property damage claimant that had no other relationship with the agency.
The denial of Congress’ application for further appellate review affirms the Appeal Court’s decision as the law of Massachusetts. Agency Checklists has prepared this short summary of the Congress case’s ruling and its potential effect on the liability of Massachusetts insurance agencies and insurers.
Lawsuit for personal injury arising out of witness intimidation
The decision from the Appeals Court resulted from a Congress employee improperly using confidential information accessed through Congress’ computer access to an insurer’s claim information. The employee gave the confidential information, relating to a property damage claimant’s name and cell phone number, to her boyfriend. Her boyfriend then used that information to contact and intimidate a witness to his hit-and-run accident, Mark Adams. When Mr. Adams learned the source of the boyfriend obtaining his personal contact information, Mr. Adams sued Congress in Superior Court action for his mental and physical distress arising out the boyfriend’s threatening phone call. In his suit against Congress, he alleged the agency had legal responsibility for the Congress employee’s misuse of his confidential information.
A Superior Court judge dismissed Mr. Adams claims against Congress and Mr. Adams appealed.
In reversing the Superior Court’s decision, the Appeals Court found that a jury could find Congress liable for damages allegedly suffered by Mr. Adams arising out of the agency’s employee accessing and improperly sharing confidential information from one of the agency’s insurance carrier’s computer systems.
Congress decision extends liability of insurance agencies and companies
The Appeals Court decision extended the liability of insurance agencies and carriers. Congress had argued successfully in Superior Court that the agency had no liability because, among other arguments:
- There was an intervening criminal act by the employee and her boyfriend in using the information accessed to threaten Mr. Adams.
- The information accessed did not fall within any of the statutory definitions of “personal information” but only related to Mr. Adams’s cell phone.
The Appeals Court however found that a reasonable jury could find that the actions of Congress under the circumstances could result in a finding of negligence.
Court extends “personal information” protection beyond the statutory definitions
Insurance agencies, along with all other businesses in the Commonwealth, have statutory and regulatory duties to adequately safeguard the personal information of all Massachusetts residents. Congress acknowledged its duty to protect personal information, but argued to the Appeals Court, that in Mr. Adams case, it had no liability because no “personal information,” as defined by statute and regulations, had been accessed.
What Congress’ employee had accessed through Congress’ data access to an insurer was Mr. Adams’s name and cell phone number as they appeared on the insurer’s claim documents.
Congress submitted to the Appeals Court that Mr. Adams’s telephone number did not qualify as “personal information” since by statute, the term “personal information” means “a resident’s first name and last name or first initial and last name in combination with [either a] … (a) Social Security number; (b) driver’s license number…; or (c) financial account number, or credit or debit card number….”
Congress argued that the Appeals Court should not extend the duty to protect personal information beyond the statutory definition because “To impute to Congress a duty that ran to every person in Massachusetts, even those who had absolutely no relationship with Congress, would be to render the applicable regulations meaningless.” (Emphasis in original).
In rejecting this argument, however, the Appeals Court made the following points:
- “Here, the access to confidential personal information of the citizens of the Commonwealth and others inherent in [this employee’s] employment heightened the potential risk that she [posed] to third parties,”
- “Just as those with the physical keys to the homes of others have a duty of reasonable care to preserve their security, companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against misuse of that data.”
The Congress decision substantially expands the liability of insurance agencies
The Appeals Court ruling on Congress’ appeal could substantially expand the liability of insurance agencies and insurers in allowing their employees to access confidential information relating to other insureds, claimants, or any other third persons found in insurance-related databases.
One of the material factors was the focus of the Appeals Court on the suitability of the employee in the agency allowing access to confidential personal information. Congress’ employee was apparently highly regarded, and even promoted to office manager. However, she had scrapes with the criminal justice system that the Congress did not further investigate.
In Congress’ case, the Appeals Court found this duty to investigate employees once evidence of possible unsuitability to access to confidential personal information emerges.
- “…if the Congress Agency had investigated, it could have discovered facts that called into question [the employee’s] honesty and fitness for access to other people’s personal information.”
- “An investigation by the agency could have revealed that [the employee] was not forthright with [its owner], that at a minimum she had been involved with illegal firearms, and that she either concealed her own involvement or lied at her own peril to protect her boyfriend.”
Insurance agency has liability to “a large but clearly defined class of third parties”
In seeking to uphold the Superior Court decision in its favor, Congress also argued that there was no sufficient connection between Congress and Mr. Adams. Congress noted that Mr. Adams did not dispute that he was never a customer of Congress, never a consumer of any of Congress’ services, and never had had any communication with Congress. Therefore, Congress argued it owed Mr. Adams no legal duty because of its employee’s misuse of information relating to Mr. Adams she had obtained through Congress’ link to on of Congress’ insurer’s claim information.
The Appeals Court disagreed and found:
In the circumstances of this case, we conclude that the agency had a legal duty to Mr. Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Mr. Adams provided to process his automobile insurance claim.”
Agency takeaways from the Congress case
The fundamental takeaway in the Congress case is that insurance agencies must not only put in place adequate data protection rules, but they should monitor those employees with such access to personal data to determine their continued suitability to have such access.
The Congress Agency’s operations seemingly provided all the proper rules for data protection. The record in the case showed:
- Congress had a strict written policy prohibiting its agents from accessing or using information they obtained in the course of their work for personal or other inappropriate purposes.
- Congress required each employee to attend a training session on these policies, and to certify, in writing, their attendance and their familiarity with the firm’s data-privacy requirements.
- Congress’ President personally followed up on a regular basis with each employee to reinforce the importance of data security, and
- Congress reinforced these policies at office meetings.
Congress also posted colored signs near all of the computers emphasizing data security, and stating:
“DON’T: Discuss any policy coverage matters with anyone other than a named insured,” and
“DON’T: Ever use our Registry to access for any purpose other than processing our insurance work.”
However, what Congress failed to do was exercise its independent judgment as to the suitability of one employee’s continued data access after federal marshals had arrested her at Congress’s office. It simply accepted her word as to the reasons for her arrest and never verified from the publicly available federal court docket that her explanation to them was most likely false. Likewise, even after the state police visited Congress’ office, relating to the witness intimidation charge, Congress did not terminate Ms. Burgos until four months later.
In short, the guidance from the Congress case, now that the Supreme Judicial Court has refused to reconsider the decision, is that the ongoing monitoring of the personal situation and the personal integrity of employees an agency or insurer allows to have access to confidential data, will have equal, or greater importance, than how complete an agency’s written data protection plans may be.
Prior Agency Checklists’ articles on the Congress case
For more detailed information on the history of the Congress case and its effect and its implications See Agency Checklists’ articles of January 10, 2017,”Appeals Court Opens Up New Potential Liability For Mass. Insurance Agencies Dealing With Personal Information; January 26, 2016, “MA Resident Producer Loses License For Conspiracy To Intimidate Witness;” and December 22, 2014, “Agency’s Loyalty To Employee Results In Lawsuit.”