Coca-Cola won big last month when it secured summary judgment in a privacy class action brought by a former bottling plant employee concerning compromised personal information. Hon. Joseph Leeson of the Eastern District of Pennsylvania found that Coca-Cola was not under any contractual obligation to protect its employees’ personal information.
The issues arose when an ill-motived former IT employee disposed of old Coca-Cola laptops that were still storing employee information, including addresses, phone numbers and SSNs. The proposed class action was brought on behalf of the 74,000 employees whose information was compromised.
The court rejected plaintiff’s arguments that a handful of company policies, when woven together, impose a contractual duty on Coca-Cola to safeguard information for the benefit of employees. Coca-Cola argued that its detailed security policies create obligations to safeguard Company information to support business operations, but not to shield employees personally. The judge agreed, ruling the relevant policy provisions serve to protect the company, not the employees.
Cited provisions came from Code of Conduct, the Protection Policy and the Acceptable Use Policy, and read, in part: “Computer hardware, software, and data must be safeguarded from damage, theft, fraudulent manipulation, and unauthorized access to and disclosure of Company information.” Another provision stated that “[w]e all have an obligation to safeguard Company assets including exercising care in using Company equipment, vehicles, and bringing to the attention of high management any waste, misuse, destruction, or theft of Company property or illegal activity.”
It is also noteworthy that, despite not being contractually obligated to protect employee information, Coca-Cola was responsible and proactive in response to the incident. Coca-Cola informed employees of the lost laptops and provided one year of free credit monitoring and fraud restoration services. Ironically, plaintiff claimed that Coca-Cola should compensate him for wages lost because of the time required to submit the necessary information to obtain the protection services. The court explicitly rejected this as well.
The case is Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, in the U.S. District Court for the Eastern District of Pennsylvania.