Can a public employer be held liable for negligence or for a section 1983 claim because the employer accidentally disclosed the names, addresses, telephone numbers, marital status and social security numbers of 1,750 former employees?  An Illinois appellate court doesn’t think so.

Cooney v. Chicago Public Schools was brought to my attention by the IAPP Daily Dashboard.  This featured a blog post by the Information Law Group which noted this may be the first published decision to hold there exists no common law negligence claim exists against an employer for disclosure of personal information such as address, telephone number, date of birth and even social security numbers.  Plaintiffs were 1,750 former employees of Chicago Public Schools governed by the Board of Education of the City of Chicago.  The Board retained a printing company to print, package and mail a COBRA open enrollment list to plaintiffs to inform them that as COBRA participants, they could change their insured benefit plans. The package, however, ended up containing the names of all 1,750 plaintiffs, as well as each of their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. When the Board learned of the disclosure of information, it sent a letter to the former employees asking them to return the COBRA list or destroy it and offered plaintiffs one year of free credit protection insurance.

Plaintiffs filed individual and class action lawsuits alleging various state and federal causes of action including: (1) violation of the common law right to privacy; (2) negligent infliction of emotional distress; (3) negligence; (4) breach of fiduciary duty; and (5) violation of their U.S. Constitutional rights vis-à-vis 42 U.S.C. section 1983.  The trial court granted, and the Illinois appellate court affirmed, the dismissal of plaintiffs’ claims against both the Board and the printing company. 

The essential elements of common law causes of action for negligence and negligent infliction of emotional distress are: the plaintiff must establish that the defendant owed a duty to the plaintiff, that the defendant breached that duty, that the plaintiff was damaged, and that the damage was proximately caused by the defendant’s breach. A violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence.

There is no private cause of action for violation of HIPAA, meaning an employee cannot bring a cause of action for simply “violation of HIPAA” because it provides no private remedies. However, plaintiffs argued that the Board violated HIPAA and, therefore, breached a duty owed to plaintiffs. The Court disagreed, finding that HIPAA excludes from its protections “employment records held by a covered entity in its role as employer.”   The Court held that names, address, telephone numbers, social security numbers and so forth held (and disclosed) by the Board were not within the protection of HIPAA.  The Court further declined to find some new common law duty of the Board to safeguard the plaintiffs’ personal information simply by virtue of the information’s sensitive nature.  For similar reasons, the Court declined to find there existed a cause of action for breach of fiduciary duty.

The Court next noted that, to establish municipal liability under section 1983 of Title 42 of the United States Code, the Plaintiffs had to allege that they were deprived of a Constitutionally protected right and that deprivation was caused by a municipal policy, custom or practice.  The Court, while scant on analysis, held that plaintiffs could not sustain a section 1983 violation based upon a violation of HIPAA.

The Court also addressed plaintiffs’ cause of  action for invasion of privacy based on a theory of intrusion which requires a showing of unauthorized intrusion into seclusion which is highly offensive to a reasonable person on a matter that is private which causes anguish and suffering to the plaintiff. The Court declined to find a cause of action here because there was a lack of authority defining social security numbers as “private,” and because things such as names and date of birth are matters of public record and similarly are not “private.”

What is more curious are those claims the Court did not address, including plaintiffs’ cause of action for violation of their Fourth Amendment rights (which plaintiffs apparently abandoned) and their claim for violation of the Illinois constitutional right to privacy, which was dismissed by the trial court but not appealed by plaintiffs.

What does this mean to California public employers?  First, California Government Code section 815.6 provides that, if a public entity is under a mandatory duty imposed by statute or regulation designed to protect against the risk of a particular kind of injury, the public entity is liable for an injury caused by its failure to discharge the duty unless it is shown it exercised reasonable diligence.  If a plaintiff can establish that his or her current or former employer has a statutory duty not to disclose his or her name, address, telephone number, date of birth, or even social security number, there may be a negligence cause of action for a public employer unless it is shown the employer exercised reasonable diligence.  HIPAA is probably not that statute, but there may be other California or federal statutes that may be interpreted as imposing that duty.

Second, unlike this Illinois appellate court, a California Court of Appeal recently held that names, addresses, and telephone numbers of employees are protected by the California Constitutional right to privacy because this necessarily threatens the sanctity of the home and right to be free of intrusion. Thus, California public employers should be wary of, and protect against, inadvertent disclosure of personal information of current and former employees.