Coca-Cola Dodges Privacy Class Action

Coca-Cola won big last month when it secured summary judgment in a privacy class action brought by a former bottling plant employee concerning compromised personal information. Hon. Joseph Leeson of the Eastern District of Pennsylvania found that Coca-Cola was not under any contractual obligation to protect its employees’ personal information.

The issues arose when an ill-motived former IT employee disposed of old Coca-Cola laptops that were still storing employee information, including addresses, phone numbers and SSNs. The proposed class action was brought on behalf of the 74,000 employees whose information was compromised.

The court rejected plaintiff’s arguments that a handful of company policies, when woven together, impose a contractual duty on Coca-Cola to safeguard information for the benefit of employees. Coca-Cola argued that its detailed security policies create obligations to safeguard Company information to support business operations, but not to shield employees personally. The judge agreed, ruling the relevant policy provisions serve to protect the company, not the employees.

Cited provisions came from Code of Conduct, the Protection Policy and the Acceptable Use Policy, and read, in part: “Computer hardware, software, and data must be safeguarded from damage, theft, fraudulent manipulation, and unauthorized access to and disclosure of Company information.” Another provision stated that “[w]e all have an obligation to safeguard Company assets including exercising care in using Company equipment, vehicles, and bringing to the attention of high management any waste, misuse, destruction, or theft of Company property or illegal activity.”

It is also noteworthy that, despite not being contractually obligated to protect employee information, Coca-Cola was responsible and proactive in response to the incident. Coca-Cola informed employees of the lost laptops and provided one year of free credit monitoring and fraud restoration services. Ironically, plaintiff claimed that Coca-Cola should compensate him for wages lost because of the time required to submit the necessary information to obtain the protection services. The court explicitly rejected this as well.

The case is Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, in the U.S. District Court for the Eastern District of Pennsylvania.

About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Tagged with: , , , , , ,
Posted in Data Breach, Data Security, Litigation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs