Suppose United States Marshals one day came into one of your agency’s offices and arrested the office manager for illegal possession of a firearm with the serial number removed. Would you wait and see what happens on the charge? Would you terminate the person? Would you stand by and do nothing?
This happened in the Cambridge office of Congress Auto Insurance Agency (“Congress”) in 2010. To Congress’ credit, it remained loyal to the employee. When the indictment was eventually dismissed the agency’s management must have felt that they had done the right thing for a trusted employee and the agency.
Unfortunately, within a couple of months of that indictment’s dismissal, the agency’s management may have began to reconsider that opinion and may have instead thought, “no good deed goes unpunished.” This change of heart came about because soon thereafter new criminal complaints brought against the same employee for conspiracy and witness intimidation ultimately would result in the agency becoming embroiled in a contentious lawsuit.
The Agency manager’s and her fiancé’s 2010 cross-country trip
Congress Auto Insurance Agency hired Betsy Burgos as a customer service representative in 2003 and promoted her to office manager in 2010. Congress received no complaints about Ms. Burgos’ reliability, honesty or professionalism in carrying out her duties, and found her job performance excellent.
In June 2010, Ms. Burgos and her fiancé, Daniel Thomas went on an extended cross-country vacation, traveling through Louisiana, Texas and California. On the return trip, they were stopped for driving 24 miles per hour over the posted speed limit in Iowa. The officer who stopped them smelled marijuana in the car, and observed a .45 caliber bullet in the back seat. Upon further inquiry, the police found two loaded handguns in Ms. Burgos’ pocketbook, a receipt for additional ammunition in Ms. Burgos’ address book, and a box and a half of ammunition. One of the handguns had a serial number removed. The other was stolen.
That September, indictments against Ms. Burgos and Mr. Thomas were returned by a federal grand jury for the Southern District of Iowa charging Ms. Burgos and Mr. Thomas with possessing a firearm with an obliterated serial number.
On October 21, 2010, while at work at Congress, the U.S. Marshal’s Service personnel arrested Ms. Burgos. She was held in custody until October 25, 2010, when a federal magistrate released her on $25,000 personal surety. Eventually, the United States Attorney for the Southern District of Iowa offered Ms. Burgos a pretrial diversion program. One factor in the U.S. Attorney’s decision may have been that the Alcohol, Tobacco and Firearms (ATF) agent on the case had the VHS tape recorded by the arresting officer enhanced by the ATF’s forensic laboratory. He subsequently testified that the enhanced audio, “…revealed that Mr. Thomas was giving Ms. Burgos information to ask her to take the ‘rap’ for the gun…”
Ms. Burgos apparently successfully completed the diversion program and on May 24, 2012, the U.S. Attorney entered, by leave of court, a dismissal of the indictment against Ms. Burgos.
Mr. Thomas, however, did not receive the same leniency. On December 8, 2010, U.S. Marshals found him living under an alias in East Boston and after a short chase and scuffle, arrested him. He was denied release by a Federal judge and remanded him to custody pending a trial. He remained in Federal custody until pleading guilty some seven months later. A Federal judge sentenced him to serve a year and a day, plus an additional two years of supervised release.
After completing his prison sentence, Mr. Thomas’ two-year supervised release was transferred to the Federal Probation Service in Boston.
State Police chase Ms. Burgos’ “stolen” car
Mr. Thomas was still on supervised release when at about 2:00 P.M. on Friday, July 13, 2012, a state police officer stationed on the Gilmore bridge in Charlestown clocked by radar a 2008 Mercedes CLS 550, owned by Ms. Burgos, traveling at over 60 miles an hour in a 30‑mile zone. When the state police officer attempted to flag the vehicle down, the vehicle accelerated. A chase ensued through Charlestown that ended with the Mercedes skidding to a stop on a side-street, after crashing into another vehicle and knocking down a street light.
The driver of Ms. Burgos’ vehicle ran from the scene, leaving keys in the ignition, the engine running, and loud music playing on the stereo. The Mercedes had damage to the front bumper and hood. A police search of the neighborhood could not find the missing driver.
Also at the scene, Mark Adams, a driver whose vehicle had been hit by Ms. Burgos’ vehicle approached the State Police about the hit-and-run property damage done to his BMW in the course of the car chase.
Quick investigation leads to initial charges of leaving the scene of an accident
While the driver could not be found, the police did find in the Mercedes a cell phone and a silver I.D. case with the initials “DBT” and a California ID for one “Daniel Bryan Thomas.” A check of the Criminal Offender Record Information CORI records showed that Mr. Thomas had a revoked license and was still on 24 months of supervised release for a Federal charge of possession of a firearm with an obliterated serial number.
The police called a number on the cell phone and reached Ms. Burgos. She advised that no one had authority to drive her Mercedes. But she also stated that Daniel Thomas was her fiancé and then she decided she would not provide any further information except that she hoped the police would catch the person who stole her car. Subsequently she reported the theft of her vehicle to her insurer, Safety Insurance (“Safety”).
On July 17, 2012, a warrant for Mr. Thomas’ arrest was issued from the Charlestown District Court for leaving the scene after causing property damage as well as driving on a revoked license. The police attempted to serve the warrant on the 18th at Mr. Thomas’ address, but he was not at home. They then advised his grandfather with whom Mr. Thomas was living to advise Mr. Thomas that there was an active warrant for his arrest.
Ms. Burgos using agency’s access to claim file leads to charges of witness intimidation
On July 24, 2012, Mark Adams, whose car had been damaged, gave a statement to Safety Insurance, the insurance company for Ms. Burgos’ Mercedes, giving his cell phone number, address and the information that “he can I.D. the driver of the car.” The person taking the statement then logged this information into Safety’s computer system.
On July 25, 2012, at about 4:00 p..m., Mr. Adams, who was listed as a witness to the leaving the scene of accident charge, received a call on his cell phone from a person claiming to be a State Police officer assisting in the investigation of the hit-and-run case involving his vehicle.
The purported police officer said to Mr. Adams, “You are Mark Adams” citing his date of birth and home address. He asked Mr. Adams, “If he were sure that he could identify the man because he was a very dangerous man and that there would be no offer to protect [him] Adams”. “Adams said that the man then said that Adams’ driving record wasn’t very good. . .” and “all I can tell you is this, this is a very dangerous man who has a lot of friends, fix your car and shut the f*** up and don’t get involved in anything else.”
Mr. Adams reported the threatening phone call to the State Police the same day. Based on the information the caller had given Mr. Adams, the State Police enlisted the National Insurance Crime Bureau to obtain the claim access records from Safety.
Safety’s records showed that on July 25, 2012, before Mr. Adams was threatened, Ms. Burgos had accessed the Safety Insurance computer records showing Mark Adams’ address and cell phone number and statement that Mr. Adams could identify the driver of the Mercedes.
Examination of the records from Safety also revealed that some erroneous information such as Mr. Adams’ vehicle was hit while parked was included. For example, it stated that Adams’ car was hit while parked instead of stating the actual fact that the car was hit while being driven by him, an erroneous fact that the person who threatened Mr. Adams tried to use in intimidating him.
As a result of the investigation into the attempt to intimidate Mr. Adams, on September 26, 2012, the State Police obtained both Mr. Thomas and Ms. Burgos were charged with conspiracy and with witness intimidation.
In December, 2012, Congress terminated Mr. Burgos’ employment.
Based on the new state charges against Mr. Thomas, the Federal Court in Boston revoked Mr. Thomas’ probation and ordered him imprisoned on January 13, 2013, for an additional four months.
Agency is sued because of Ms. Burgos’ accessing of confidential information to help her fiancé intimidate Mr. Adams
On April 16, 2013, Mark Adams sued the Congress Auto Insurance Agency in Middlesex Superior Court. Mr. Adams claimed that the threats from Mr. Thomas caused him and his family severe emotional distress. He alleged that Congress had legal liability for his emotional injuries because of the actions of Congress’ office manager, Ms. Burgos, in using Congress’ access to Safety’s claim records to assist Mr. Thomas in intimidating and threatening him.
Mr. Adams alleged, in particular that:
- Congress breached its duty to exercise reasonable care in hiring employees, when it hired Burgos, an employee whom it knew or should have known was unfit to have access to sensitive or confidential information. (Count I).
- Congress breached its duty to supervise employees who have access to sensitive information “by failing to properly supervise its employee, Ms. Burgos. (Count II).
- Congress breached its duty not to employ people who were unfit for their job responsibilities when it retained Ms. Burgos in a position in which she would have access to sensitive or confidential information, despite the fact that Congress knew or should have known that she was unfit for that responsibility. (Count III).
- Congress had a duty to keep the confidential personal information secure and protected, and to ensure that the confidential personal information is not misused, distributed, or made public and that Congress breached that duty because Ms. Burgos could access such information simply because she was a managing employee of Congress (Count IV); and,
- Congress breached the provisions of M.G.L. c. 93A, (Unfair and deceptive business practice statute) by its actions. (Count V).
The agency defended itself with motions to dismiss and motions for summary judgment against the original complaint and the subsequent attempt of Mr. Adams to amend his complaint.
The superior court judge ultimately ruled against Mr. Adams on all counts.
Initially, the Judge dismissed the first three counts under the expanded rules of pleading that now apply to complaints because, “Other than the single instance of Burgos accessing (and passing on to Thomas) the personal information that Adams disclosed to Safety, the Complaint is devoid of facts to support these claims.”
In dismissing these counts for lack of factual specificity, the Judge found that:
- The Complaint did not suggest any way in which Congress failed to supervise Burgos in particular,
- The Complaint did not suggest any action by Burgos before she accessed Adams’ information that hinted she had a specific need for training or additional supervision.
- The Complaint did not suggest what Congress knew or should have known over the course of Burgos’ employment that would have suggested that she was not fit to be retained as an employee.
The Judge initially retained the fourth Count for negligence. However, on summary judgment after discovery, the Judge found that there was no material facts in dispute and that Congress was entitled to judgment against Mr. Adams.
The Judge found that Ms. Burgos Federal charge was not material to Mr. Adams claim because Ms. Burgos was never convicted and the charge she faced was ultimately dismissed. More importantly, however, the nature of the gun charge, the details of which Congress knew, at least in part, did not legally lead to any conclusion that Ms. Burgos presented a risk to the agency of a data breach of the type that she perpetrated for her fiancé, Mr. Thomas.
Finally, the Judge made the apparently undisputed point that Burgos’ actions accessing Safety’s records on Adams and disclosing it to Thomas in furtherance of a conspiracy between Burgos and Thomas constituted an unauthorized and unlawful use of the Safety database. Burgos’ disclosure of information she learned about Adams to Thomas was not designed to serve Congress’ interests but her own. Since Burgos was acting for her own interests and not Congress’, accordingly, Congress could be not legally responsible for Burgos’ actions.
The agency’s case is not over, as Mr. Adams has filed an appeal to the Appeals Court. Since this case is one of first impression, Agency Checklists will monitor this appeal and report on any decision.
However, there are two takeaways that an agency should consider for protecting data records of insured and its own assets from successful suits by insureds whose records are wrongfully accessed.
- An important point that Mr. Adams alleged was that Ms. Burgos had access to the electronic systems of Congress “simply” because she was a managing employee of Congress and that therefore she was able to access and misuse the confidential information Adams gave to Safety. You may want to examine your agency’s data access policies and the extent to which employees can access sensitive materials relating to insureds.
- Document your data access policies. Another important point in the Congress decision was that Mr. Adams had not presented expert testimony as to what the “standard of care” for an independent insurance agency is in safeguarding confidential information. The next time a similar case arises the plaintiff will almost certainly correct that deficiency and have an expert reviewing the data policies of the target agency. If that defendant agency does not have a well-defined data policy the result could be quite different than in this case.
- As part of your documentation of data access policies, review your “WISP” or Written Information Security Plan, required under 93H. If you report a data breach it will be the first thing that the Attorney General will request. If you are sued by an insured or other person for a data breach, it will be the first thing that plaintiff’s counsel will request
- Consider what coverage, if any, you may have under your existing insurance policies for any types of claims that might relate to cyber liability claims involving wrongful access or dissemination of personal data. Consider what additional coverages may apply.
- Review any data access agreements with vendors or carriers to which your agency may be a party. Check carefully if there are any indemnity agreements and, if so, who indemnifies whom. If you have questions, consult with competent counsel.