What You Need to Know

The failure of government employees to know what data must be kept private and to actually keep that data private can be costly as reflected by a recent $68 million verdict against a county government.

The case is a reminder that local and state governments are responsible for ensuring that their employees verify with legal counsel or a privacy officer whether certain data can be made public. The decision sends a message to counties and other governments to make sure sensitive data is handled properly.

As we shared earlier in the year, the Pennsylvania Supreme Court established in late 2018, in Dittman v. UPMC, that employers must exercise reasonable care to safeguard employee’s sensitive information. In May 2019, a Pennsylvania federal court decision, Taha v. Bucks County, highlighted the severe consequences of a county not keeping certain information private in accordance with statutory requirements.

What Happened

Two employees of Bucks County, Pennsylvania created a database of criminal records for online publication, including records where no conviction resulted. By including the information of individuals without convictions in their publicly available and searchable database, they relied on their own interpretation of state’s Criminal History Records Information Act. They also did not verify whether the information of non-convicted individuals was protected under the Act and unfortunately that information was protected. The court granted summary judgment against the county, finding that the information released in the database breached the data privacy of nearly 68,000 people. The jury awarded $1,000 in damages to each person.

The court reasoned that the employees negligently and recklessly disregarded the privacy interests of thousands of people by failing to verify appropriate information to include in the online database. The court disagreed with the county’s argument that the county employees simply did not know the law, emphasizing that ignorance is not a defense to a disclosure in violation of the act. 

Lessons Learned and Best Practices

The Pennsylvania case is another reminder to companies to:

• Know your data: Know what sensitive data you have that should be kept confidential. The laws are in a constant state of change regarding what is considered “personal information.”

• Have procedures: Update, or implement, information security policies and procedures for what data is considered sensitive, where it is stored, and how it must be protected.

• Train personnel regularly: New employees should be trained on data security and privacy, and existing personnel need reminders.

• Know who to call: Personnel handling sensitive data need to know who to call with questions on privacy and security, including if there is a data breach incident. The prime contact persons should be the privacy officer and the county’s legal counsel.

• Consider insurance: Government entities should consider buying insurance coverage for cyber-related risks.