Parkview Health Decision Highlights Vicarious Data Breach Liability Risk in the United States

A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing.

Background

In Parkview Health, the plaintiff, Haley SoderVick, went to a Parkview campus for an appointment with her doctor. An employee of Parkview, Alexis Christian, registered SoderVick and accessed SoderVick’s health records in order to input personal information. Christian, however, also immediately texted SoderVick’s medical information to Christian’s husband as well as false information about SoderVick’s sexual partners. Christian claims that she had been motivated by suspicions about her husband’s infidelity based on SoderVick “liking” a picture of him on Facebook. SoderVick was informed about the disclosure and brought suit against Parkview claiming (1) vicarious liability under a theory of respondeat superior, (2) direct negligence for Parkview’s allegedly negligent training, supervision, and retention of Christian, and (3) violations of HIPAA. The trial court granted summary judgment in favor of Parkview on all three counts.

With respect to the issue of respondeat superior, the trial court held that Christian’s conduct fell outside the scope of employment. Under Indiana law, to fall within the scope of employment, the employee’s injurious act must either (1) “be incidental to the conduct authorized,” or (2) “to an appreciable extent, further the employer’s business.” Barnett v. Clark, 889 N.E.2d 281, 283 (Ind. 2008). The trial court stated that the evidence established that there was no legitimate business purpose to Christian’s accessing of the records.

The Court of Appeals of Indiana reversed on appeal, holding that a jury should ultimately determine whether Christian’s conduct fell within the scope of employment. The Court of Appeals rejected Parkview’s argument that the lack of a legitimate business purpose motivating Christian’s actions precluded a finding of vicarious liability, asserting that Christian’s subjective intent was only relevant to whether the accused conduct furthered the employer’s business. The Appeals Court also held that Christian’s conduct could still be within the scope of employment to the extent it was “incidental” to authorized conduct, notwithstanding her subjective intent in disclosing the information or the fact that her conduct was directly counter to Parkview’s rules and policies. In holding that the question of vicarious liability must be decided by the jury, the Court of Appeals highlighted the fact that Christian had assisted with the registration process for SoderVick, had sent the offending text while in the midst of performing job duties, and performed her actions at work using access granted by Parkview.

Practical Implications

Parkview Health highlights the risks employers face in connection with the privacy or data security violations of their employees. In many situations, employees must be authorized and are required to access sensitive personal information. If such an employee then mishandles that information, even for a purely personal purpose, Parkview Health raises the specter that the employer may need to litigate to trial the issue of whether the misconduct was “incidental” to what the employer had authorized. Other courts in the United States have, like Morrison, taken a more restrictive view when considering the scope of employment, letting cases proceed only in situations in which there was at least a partial intent to benefit the employer. See, e.g., McClain v. Citizens Bank N.A., 57 F. Supp. 3d 438, 443 (E.D. Pa. 2014) (dismissing vicarious liability claim over employee’s divulging personal information by way of what it characterized as “essentially gossip” that could not serve any conceivable business purpose). But data security breaches are often caused by employees who make mistakes or even intentionally break company policy when trying to do their jobs for the benefit of their employer.

Employers must also be wary of direct liability. Courts in data breach litigation have also in many cases sustained, for purposes of dismissal motions, claims that the company itself maintained legally inadequate security measures based on an employee’s acts, in situations where plaintiffs did not assert any claim for vicarious liability at all. See, e.g., McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 813 (E.D. Ky. 2019) (allowing negligence claims against Allconnect after “an unsuspecting employee of Defendant Allconnect, Inc., responded to a fraudulent phishing email, resulting in an unauthorized release of employee W-2 tax forms”).

These concerns are, unfortunately, only heightened by the abrupt move to remote work that many businesses have been forced to implement as a result of COVID-19. The physical bounds of the workplace, which once used to limit the reach of vicarious liability, now offer less protection to employers as the workplace expands to the world. See Restatement (Second) of Agency § 228(1)(b) (an employee’s conduct is within the scope of employment only if, among other things, “(b) it occurs substantially within the authorized time and space limits”). Employers have less control over how employees complete their work, and business demands might require potentially sensitive information to be accessed remotely. Employees are more likely to use personal computers or devices to access the employer’s network and access potentially sensitive information. And data security threats seeking to exploit mistakes by employees in the remote working context, such as phishing attempts, are on the rise. See, e.g., Jim Walter, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic – SentinelLabs, (May 5, 2020); Scott Zamost & Jennifer Schlesinger, US Secret Service warns that coronavirus email scams are on the rise, CNBC (Apr. 2, 2020). Such employee mistakes can give rise to allegations both that the employer is vicariously liable for the mistake and that the employer itself took inadequate steps to prevent the mistake. While of course the employer is free to challenge the claims on the merits, doing so can be expensive, even if ultimately successful. Therefore, now, more than ever, it is worthwhile for companies to ensure that adequate data security policies are in place and to take technical and other measures to enforce compliance with those policies. We discuss a host of practical steps companies can take on this front here.

For more information, visit Orrick’s COVID-19 Resource Center or contact any member of Orrick’s Cyber, Privacy & Data Innovation team.