March 4, 2021

Volume XI, Number 63


March 03, 2021

Subscribe to Latest Legal News and Analysis

March 02, 2021

Subscribe to Latest Legal News and Analysis

March 01, 2021

Subscribe to Latest Legal News and Analysis

$68 Million Verdict Is An Expensive Data Privacy Lesson For Counties And Other Governments

What You Need to Know

The failure of government employees to know what data must be kept private and to actually keep that data private can be costly as reflected by a recent $68 million verdict against a county government.

The case is a reminder that local and state governments are responsible for ensuring that their employees verify with legal counsel or a privacy officer whether certain data can be made public. The decision sends a message to counties and other governments to make sure sensitive data is handled properly.

As we shared earlier in the year, the Pennsylvania Supreme Court established in late 2018, in Dittman v. UPMC, that employers must exercise reasonable care to safeguard employee’s sensitive information. In May 2019, a Pennsylvania federal court decision, Taha v. Bucks County, highlighted the severe consequences of a county not keeping certain information private in accordance with statutory requirements.

What Happened

Two employees of Bucks County, Pennsylvania created a database of criminal records for online publication, including records where no conviction resulted. By including the information of individuals without convictions in their publicly available and searchable database, they relied on their own interpretation of state’s Criminal History Records Information Act. They also did not verify whether the information of non-convicted individuals was protected under the Act and unfortunately that information was protected. The court granted summary judgment against the county, finding that the information released in the database breached the data privacy of nearly 68,000 people. The jury awarded $1,000 in damages to each person.

The court reasoned that the employees negligently and recklessly disregarded the privacy interests of thousands of people by failing to verify appropriate information to include in the online database. The court disagreed with the county’s argument that the county employees simply did not know the law, emphasizing that ignorance is not a defense to a disclosure in violation of the act. 

Lessons Learned and Best Practices

The Pennsylvania case is another reminder to companies to:

  • Know your data: Know what sensitive data you have that should be kept confidential. The laws are in a constant state of change regarding what is considered “personal information.”

  • Have procedures: Update, or implement, information security policies and procedures for what data is considered sensitive, where it is stored, and how it must be protected.

  • Train personnel regularly: New employees should be trained on data security and privacy, and existing personnel need reminders.

  • Know who to call: Personnel handling sensitive data need to know who to call with questions on privacy and security, including if there is a data breach incident. The prime contact persons should be the privacy officer and the county’s legal counsel.

  • Consider insurance: Government entities should consider buying insurance coverage for cyber-related risks.

© 2020 BARNES & THORNBURG LLPNational Law Review, Volume IX, Number 189



About this Author

Jason Bernstein Data Security & Privacy Attorney

A co-chair of the firm’s Data Security and Privacy practice, Jason Bernstein is a business adviser who helps clients develop, manage, protect and leverage their IP assets and valuable data. By offering real depth in a multitude of disciplines and industries, Jason is appreciated for his proven business acumen and creative problem-solving ability.

Inventions, innovations and information, particularly information security and privacy matters, are at the core of Jason’s practice. With more than three decades of experience, Jason advises on strategic planning for and the protection of...

Todd Vare IP lawyer Barnes Thornburg

Todd G. Vare is a partner resident in the Indianapolis office of Barnes & Thornburg LLP. Mr. Vare represents clients in the protection and enforcement of intellectual property rights in trial and appellate courts around the country, and was listed in the 2012 edition of Best Lawyers in America.

Mr. Vare has litigated patent disputes covering a wide variety of technologies, including herbicides/pesticides, dielectric fluids, genetics, pharmaceuticals, medical devices, telecommunications, microprocessor and integrated circuit designs, software programs...

Brian J. McGinnis, Barnes Thornburg Law Firm, Indianapolis, Intellectual Property Law Attorney

Brian J. McGinnis is an attorney with Barnes & Thornburg LLP where he is a member of the firm's Intellectual Property Department and the Internet and Technology and the Data Security and Privacy practice groups. He is resident in the firm’s Indianapolis office.

Brian's practice is focused at the intersection of the law and technology. He has developed a national practice advising clients ranging from multinational corporations to startups on the broad range of legal matters pertaining to technology, intellectual property protection and...