September 21, 2020

Volume X, Number 265

September 18, 2020

Subscribe to Latest Legal News and Analysis

$68 Million Verdict Is An Expensive Data Privacy Lesson For Counties And Other Governments

What You Need to Know

The failure of government employees to know what data must be kept private and to actually keep that data private can be costly as reflected by a recent $68 million verdict against a county government.

The case is a reminder that local and state governments are responsible for ensuring that their employees verify with legal counsel or a privacy officer whether certain data can be made public. The decision sends a message to counties and other governments to make sure sensitive data is handled properly.

As we shared earlier in the year, the Pennsylvania Supreme Court established in late 2018, in Dittman v. UPMC, that employers must exercise reasonable care to safeguard employee’s sensitive information. In May 2019, a Pennsylvania federal court decision, Taha v. Bucks County, highlighted the severe consequences of a county not keeping certain information private in accordance with statutory requirements.

What Happened

Two employees of Bucks County, Pennsylvania created a database of criminal records for online publication, including records where no conviction resulted. By including the information of individuals without convictions in their publicly available and searchable database, they relied on their own interpretation of state’s Criminal History Records Information Act. They also did not verify whether the information of non-convicted individuals was protected under the Act and unfortunately that information was protected. The court granted summary judgment against the county, finding that the information released in the database breached the data privacy of nearly 68,000 people. The jury awarded $1,000 in damages to each person.

The court reasoned that the employees negligently and recklessly disregarded the privacy interests of thousands of people by failing to verify appropriate information to include in the online database. The court disagreed with the county’s argument that the county employees simply did not know the law, emphasizing that ignorance is not a defense to a disclosure in violation of the act. 

Lessons Learned and Best Practices

The Pennsylvania case is another reminder to companies to:

  • Know your data: Know what sensitive data you have that should be kept confidential. The laws are in a constant state of change regarding what is considered “personal information.”

  • Have procedures: Update, or implement, information security policies and procedures for what data is considered sensitive, where it is stored, and how it must be protected.

  • Train personnel regularly: New employees should be trained on data security and privacy, and existing personnel need reminders.

  • Know who to call: Personnel handling sensitive data need to know who to call with questions on privacy and security, including if there is a data breach incident. The prime contact persons should be the privacy officer and the county’s legal counsel.

  • Consider insurance: Government entities should consider buying insurance coverage for cyber-related risks.

© 2020 BARNES & THORNBURG LLPNational Law Review, Volume IX, Number 189


About this Author

Jason Bernstein Data Security & Privacy Attorney

A co-chair of the firm’s Data Security and Privacy practice, Jason Bernstein is a business adviser who helps clients develop, manage, protect and leverage their IP assets and valuable data. By offering real depth in a multitude of disciplines and industries, Jason is appreciated for his proven business acumen and creative problem-solving ability.

Inventions, innovations and information, particularly information security and privacy matters, are at the core of Jason’s practice. With more than three decades of experience, Jason advises on strategic planning for and the protection of...

Todd Vare IP lawyer Barnes Thornburg

Todd G. Vare is a partner resident in the Indianapolis office of Barnes & Thornburg LLP. Mr. Vare represents clients in the protection and enforcement of intellectual property rights in trial and appellate courts around the country, and was listed in the 2012 edition of Best Lawyers in America.

Mr. Vare has litigated patent disputes covering a wide variety of technologies, including herbicides/pesticides, dielectric fluids, genetics, pharmaceuticals, medical devices, telecommunications, microprocessor and integrated circuit designs, software programs and processes, cellular antenna systems, and mechanical devices. Mr. Vare also represents clients in disputes involving trademarks, copyrights, trade secrets, software performance, software licenses, employee non-compete and non-disclosure agreements, and rights of publicity.

In addition to trial work, Mr. Vare argued before the United States Supreme Court in U.S. v. Santos, (opinion issued June 2, 2008) which resulted in a victory for his client involving the scope of the federal money laundering statute. Mr. Vare also has represented clients in appeals in the 7th Circuit, the Federal Circuit, the 11th Circuit, and the Indiana Court of Appeals.

Mr. Vare serves as co-chair of the Nanotechnology Group and Business and Technology Group of Barnes & Thornburg, and additionally is active in the firm’s Life Sciences Group. In these roles, Mr. Vare counsels clients on a variety of matters along the pathway of "concept to commercialization" in the life sciences and technology industries, including IP protection, computer and software protection, e-commerce processes, electronic signatures, Internet security, and other business technology matters.

Brian J. McGinnis, Barnes Thornburg Law Firm, Indianapolis, Intellectual Property Law Attorney

Brian J. McGinnis is an attorney with Barnes & Thornburg LLP where he is a member of the firm's Intellectual Property Department and the Internet and Technology and the Data Security and Privacy practice groups. He is resident in the firm’s Indianapolis office.

Brian's practice is focused at the intersection of the law and technology. He has developed a national practice advising clients ranging from multinational corporations to startups on the broad range of legal matters pertaining to technology, intellectual property protection and...