Six years after Shane Enslin left his repairman job at a Coca-Cola distribution plant in Pennsylvania, the company told him that his Social Security number and other personal information might have fallen into the wrong hands. A few months later, a declined credit card upended his family vacation. Then came a third unfortunate surprise for Enslin: A federal judge in Pennsylvania ruled that Coca-Cola wasn’t obligated to safeguard his data, which Enslin believes identity thieves used to ring up thousands of dollars in unauthorized purchases.
“This is the company that protects the world’s greatest secret, the formula for Coke,” Donald Haviland, Enslin’s attorney, told Bloomberg Law. “And yet somehow they can’t stop some knucklehead from walking out the door with hundreds of laptops.”
Enslin is appealing the decision, arguing that Coca-Cola should be on the hook because a company tech worker stole computers with his information on them. A similar ruling, in which a state court said University of Pittsburgh Medical Center isn’t liable for a data hack in which fraudsters used UPMC worker information to file false tax returns, is also on appeal.
The Pennsylvania cases are among an increasing number of legal battles over workplace cybersecurity being waged in courtrooms across the country. When is a company liable for losing employee data, whether it’s because a worker steals computers, a human resources professional falls for a phishing scheme, or hackers break into a corporate network? The answer so far is it depends which court you’re in.
“It varies from jurisdiction to jurisdiction,” Aaron Wais, a Los Angeles attorney who represents companies in intellectual property and data security cases, told Bloomberg Law. “It basically comes down to each court’s interpretation of what an employer’s duty is to its employees to protect their personal information.”
Courts in New York and California in recent months have said businesses have some responsibility—under contract or negligence law—to protect workers’ personal information. But that’s before getting into other tricky issues like how to prove that fraudsters actually used the specific information obtained from the business and whether the threat of identity theft alone is enough to justify a lawsuit, even if no actual damage is done.
Data may be king, but collecting consumer and employee information also comes with plenty of risks. That’s why lawmakers in at least a couple of states and across the pond are beefing up requirements for fighting off hacks. But there’s still plenty of uncertainty about just what it is that companies should be doing.
Data Theft 101
Hacks come in all shapes and sizes, but many are not exactly the high-tech variety. Criminals often pose as company officials, government workers, or other trusted sources and simply ask people with access to information to share it for seemingly legitimate reasons, an approach called phishing.
“Attackers are only as advanced as they need to be,” Bob Dooling, a principal security engineer at cybersecurity firm Praetorian, told Bloomberg Law. “Something like nine out of 10 data breaches originate with phishing. You either get the data that way or you get someone’s password and use it to compromise the system.”
Enslin and some 74,000 other Coca-Cola workers had their personal information compromised the old-fashioned way: computer theft. Coca-Cola said it was able to retrieve many of the stolen laptops and offered all of the employees involved a year of free credit-monitoring and fraud restoration services. But the company balked when Enslin filed a class action.
“If companies are held accountable, they’re going to have to have in place a system to protect employee records,” Haviland said. “But the judge’s decision basically says you can have crimes committed on your watch and you’re not culpable.”
Coca-Cola declined to comment for this story. The company noted in court filings that many of the fraudulent purchases using Enslin’s credit card were canceled and that he was reimbursed for related expenses, with the exception of a $17 bank charge.
Enslin and his wife said they and their two children were ready to start a weeklong summer vacation when their card was declined, thanks to unauthorized activity. They had to scrap the trip, after a two-hour drive from their Pocono Mountains home to the Amish Community in Lancaster, Pa.
“It didn’t cost us money, but it was a humiliation, it was a drive out there,” Kim Enslin later told lawyers. “It’s more than just the monetary loss at this point. And they still worry about future incidents, she said.
In New York, cybercriminals sent an email to a human resources worker at translation services company TransPerfect, posing as the company’s CEO. They tricked her into turning over TransPerfect employees’ names, addresses, birth dates, Social Security numbers, and bank account and routing numbers.
The California case included a similar phishing scheme at data storage firm Seagate Technology. This time, the phishers actually used the stolen information to file false tax returns.
“Watering hole” attacks are another common way thieves try to get data. The scammers purchase ad space on websites that intended targets are known to frequent, Dooling said. Those ads are infected with malware that opens up anyone who clicks on them to a possible hack. Similarly, hackers often set up free WiFi networks in coffee shops and public places, using those networks to access the computers of anyone who connects.
Head in Sand, Bad Idea
Companies should at the very least know what data they’re collecting and what they’re doing with them, William Berglund, a management attorney in Cleveland, told Bloomberg Law. That means doing risk assessments to identify vulnerabilities and coming up with a response plan that’s ready to go in the event of a breach.
“In today’s world where you know that there are threats out there—criminals and possibly nation states trying to get into your system, or maybe even employees—it’s just part of doing business to maintain reasonable security standards,” Berglund said.
Whether a business is legally obligated to take those kinds of steps is still unsettled territory.
The judge in the TransPerfect case said the company had a basic duty under negligence law to generally protect workers’ personal information. Judge Lorna Schofield also said the company’s pledge to use “robust procedures” to protect worker information in corporate handbooks may have created an implied contract between TransPerfect and its employees.
Judge Richard Seeborg came to a similar conclusion in the Seagate Technology case.
“It is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently,” Seeborg said.
In Enslin’s case, Coca-Cola said in court filings that a code of conduct in which it pledged to “safeguard the confidentiality of employee records” by telling workers about the personal information it keeps and limiting who can access that information didn’t create a contractual obligation for Coca-Cola to actually ward off data breaches.
At least two states—Massachusetts and California—have laws on the books that force companies to protect customer, client, and employee information. A new law set to take effect in the European Union in May requires businesses to take “reasonable steps” to protect personal information and to report data breaches within 72 hours of learning of them.
Praetorian’s Dooling said the 20 Critical Security Controls, published by the Center for Internet Security, are often cited as a good starting point for protecting personal information and data security. The nonprofit’s list includes a wide range of security activities, from culling old user accounts to conducting vulnerability assessments and beefing up malware defenses.
If a Tree Falls in the Woods
The state and EU laws provide something of a baseline for businesses operating in covered jurisdictions. Still, workers and their employers will likely continue to turn to courts to sort out what’s reasonable. They’ll also need judges to decide what kinds of hacks justify a lawsuit.
“Just because there was a breach doesn’t mean the information was accessed or actually used by criminals,” Berglund told Bloomberg Law. “The courts are continuing to kick around the question of what’s the appropriate standard for considering injury.”
Although there was no evidence that cybercriminals used the information they stole from TransPerfect, the court said the specter of identity theft was enough to support the lawsuit. Workers whose information has been pilfered don’t need to “wait for their identities to be stolen before seeking legal recourse,” Schofield said.
But Schofield also noted that cyberthieves had actually sought out the information they stole from TransPerfect.
In Enslin’s case, it’s still not clear whether anyone accessed the personal information stored on the stolen laptops. Still, Enslin’s lawyer says he had to weather the storm of having his information up for grabs, spent hours trying to undo the damage, and still doesn’t know whether anyone is out there trying to steal his identity again. That’s why it makes sense, Haviland says, for Coca-Cola to be legally responsible.
“You’re never going to know who the hacker is,” Haviland said. “So you go after the company that should have some responsibility to prevent the hack.”